On 12/24/2013 02:57 AM Raffaele Morelli wrote:
Read apache webserver documentation.
This is a good idea in general, but a more specific reference would
actually be practical.
There is no problem whatsoever with files being owned by root. This
is done all of the time. It is okay. This is the default for files
installed by Debian packages for example.
If you truly believe that files owned by root are a problem then
please start filing bug reports because there are a lot of packages
with files owned by root.
You are quite wrong here, "debian packages" (what are you referring to?)
are not php script supposed to go online and be exposed to the world.
Keep in mind that if a php script is owned by root user and there's a
security hole in it, an attacker can easily access every block of your
file system.
There seems to be some conflation here involving the ownership of the
file and the ownership of process when these are actually quite
distinct. For example, /bin/rm is owned by root. But the mere
execution of it by a regular user doesn't give that regular user root
privileges. Conversely if a regular user owns an executable file and
this file is executed by root, that process is not then owned by that
regular user. In short, the ownership of the file does not determine
the ownership of the process invoked by that file.
Web pages are supposed to run with the same privileges and (limited)
shell as the user who runs the webserver.
This part is true and is why public-facing webserver *processes* are not
invoked by root (though not too long ago they used to be).
Please, don't you spread confusion and read about security stuff.
Good conversation. It seems we need more of this kind of thing.
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/52b95158.4030...@mousecar.com
