I was having trouble uploading files using my CMS (Drupal). When I put more restrictive file permissions on, I could not upload anything. Then I changed the owner of the upload directory and all sub-folders to daemon, and everything worked fine. What exactly is daemon? Is this the user used by Apache or PHP?
Is it safe to use daemon as the owner for folders and sub-folders in an upload directory?
Apache is usually not running as daemon, and PHP is usually just running under whatever user Apache is running as.
The name daemon sounds quite generic so if one developer saw it fit to use that by default for some daemon it would not be a surprise if others saw it fit for other daemons.
So it is possible that multiple daemons are running as that user, and a security vulnerability in any of them could open for access to any resources that the daemon user is allowed to access.
More separation would be better, so I would look for where the user is configured and use a dedicated user. That is the best security advice I can give based on the information in your question.
You can use the ps command to find out what is running as that user.
If a daemon needs to create files it will need write access to the directory they are written to. But it does not have to be owner of the directory. Instead you can let the directory be owned by root and have its group be the one under which the daemon is running. Then you can grant write access to the group. For example
chmod 1775 directory
That version would allow anybody in the group to create files in the directory but not to delete or rename files created by other users. And those not in the group would have access to read the directory and access its contents.
