0

So I have been wondering what the true purpose of www-data user/group is. Should I include other programmers into this group that will be editing the files in the website root? Should all of the documents be owned by www-data?

taricketts
  • 3
  • 2
  • Possible duplicate of [What permissions should my website files/folders have on a Linux webserver?](http://serverfault.com/questions/357108/what-permissions-should-my-website-files-folders-have-on-a-linux-webserver) – user9517 Feb 21 '16 at 18:35

2 Answers2

0

The short answer is yes.

As soon as the process has the ports - usually 80 and 443 - it drops root privileges and runs as that users. Thus, files owned by that user / group are accessible by apache. You can make users members of that group to give them access, just keep the underlying folders also accessible. ...

On other distros the username and the groupname might be called apache.

Király István
  • 377
  • 4
  • 10
  • I think there are two questions here -- 1) include programmers? and 2) document ownership. Yes, www-data should own documents, but it would be poor practice to add people to the www-data _group_ -- see my thoughts below. – Tom Harrison Jr Feb 21 '16 at 19:53
0

www-data is just a UNIX group, and one used by default for Apache. The UNIX user www-data is different, and must have permissions needed to write log files, perhaps POST data, and other system tasks. These values (User and Group) are specified in the apache configuration file, typically found in /etc/apache or /etc/httpd. The web server master typically runs as the root user, and then dispatches work to workers, who run with the privileges of the configured user and group.

Apache is a service, and like other services it is typically something only a small set of people in an organization would have access to, often via sudo. I do not suggest that you change this group to have wide access, or be something a lot of people can get at.

Smaller companies may not have operations or IT departments to manage web servers so in this case, the developers may be the system administrator; larger companies probably lock things down pretty tightly. In the former case, developers might be part of a group such as developers and gain access as needed via sudo, for example to look at a log file or adjust the server config. But this is a system administration task and should be very limited for the user, and quite restricted for the group.

In some cases, it may make sense for the group (not user) to have read, but not write access. In this case, you might want to create a special group share by related services -- for example perhaps you have Apache, MySQL and PHP and would want users to be able to see logs and config for all of those. Another use-case for a common group is automated deployments.

Write access should be very carefully controlled. sudo, when used properly, is a good tool to allow users to gain limited access to specific resources, like logs, or perhaps to restart the server.

But I respectfully disagree with the accepted answer -- the short answer is no. In most cases, services should have users and groups with very limited access, and any change to permissions should be carefully considered. This is especially true for web servers and other services like FTP or SMTP whose ports are directly exposed to the Internet.

Tom Harrison Jr
  • 575
  • 1
  • 6
  • 16