On Sun 28 Oct 2018 at 19:57:08 (-0400), Gene Heskett wrote: > On Sunday 28 October 2018 18:42:41 mick crane wrote: > > On 2018-10-28 21:38, Ben Caradoc-Davies wrote: > > > On 29/10/2018 10:26, Carl Fink wrote: > > >> On 10/28/2018 05:16 PM, mick crane wrote: > > >>> what's the deal with www-data ? > > >>> I never made that user > > >>> I dunno if it has a password or what ? > > >>> these are things that some setup / install makes ?
If you are merely alarmed, perhaps read /usr/share/doc/base-passwd/users-and-groups.txt.gz where you'll see that user/group 33 is reserved for this user. > > >> It's created by the Apache installer. Check the Apache docs. … but bear in mind that you don't have to install apache for that user/group to be created on your system. > > > And it should have no password. This user is accessed by switching > > > to it from root. As a security measure, after binding to privileged > > > network ports as root, apache switches to user www-data so that, if > > > it is compromised, the damage is limited. Processes that have > > > dropped root privileges cannot automatically regain them. Postgres > > > and Tomcat do the same thing with their own dedicated users. > > > > I'm asking because somebody is saying that webmail server files should > > be owned by root but I don't know about that, if somebody as got so > > far to be www-data they might as well be root ? Then you probably need to read the docs carefully, rather than taking any notice of what's written below, which contradicts anything I've read on this subject. > I don't think thats how it works. UID/GID as www-data is just part of the > sandbox apache2 and its ilk play in. In fact after I've equipt apach2 > with some new toy, the last thing I do as root is a chown -R > www-data:www-data any directory apache2 can access in going about its > normal business. > > Thats how IUI, and no one accessing my web page (its on this machine) > has jumped the sandbox fence in around 15 years now. Why would they bother. Cheers, David.
