Root should NOT own any directory that is publicly accessed, such as web content.
I don't know if this is worded wrong, or maybe English isn't your primary language, but this is the worst advice as-worded. You shouldn't run services as root, but yes, files and directories *should* be owned by root as much as possible.
Should there be a breach, then the visitor will have root access to the whole system.
Not true, if there is a breach they only get access to apache and files owned by apache, NOT the whole system. I think you have file ownership and service ran as confused.
It is better if the directory is owned by the web server, and that depends on your platform.
No. If there is a breach the attacker gets the permissions of the service they breached. If you give all of the directories and files the same user level as the service that was breached the attacker can now access / alter all of the files belonging to that breached service. This is why you want the files owned by root, so if apache gets breached, the attacker CAN NOT touch those files because they are owned by root NOT apache. _______________________________________________ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users