On Fri, Jun 14, 2019 at 02:58:05PM +0200, to...@tuxteam.de wrote: > That's my standard setup: the files belong to a "www admin" (can be a > regular user, can be root) and have the group www-data. So the web > server hasn't (usually) write access to normal htmls and cgi-bins > (oh, for the last, execute access for the group is necessary, so 075x.
Changing the group-owner of the files is one possible approach, yes. However, I prefer to remind myself that if I put something on the web, the entire world can see it. So any attempt to restrict who can read the files on my local system would be entirely pointless, if they can simply read them on the world wide web instead. Thus, making the files world-readable is completely rational. And saves you the headaches and hassles of managing group permissions and umasks and so on. (However, those headaches may return if you are trying to allow multiple people administrative access to the content. That's a separate issue.)
