[Typo3-linux] Owner/Group settings in typo3_src and dummy packages
Karsten Dambekalns
k.dambekalns at fishfarm.de
Wed May 21 11:55:39 CEST 2003
Michael Stucki wrote:
>>And is it bad that the apache user is nobody?
>
> This is standard on SuSE and some other distributions. However, on Debian
> this user is called 'www-data' which seems better to me - but don't ask me
> why, I just think so....
Well, on a lot of systems, 'anonymous users' like FTP or accounts that
need some group but should get as little privileges as possible are in
nobody as well.
Now if someone breaks in (in whatever way) and thus becomes nobody, this
would usually limit the impact of the break in.
If those 'document root' files belong to group nobody, and are writable
(something we need for TYPO3), this opens the door to hacking websites
wide open.
I think having a seperate group for Apache (as done in Debian) is a Good
Thing!
Hope I didn't talk any nonsense.
Karsten
More information about the TYPO3-linux
mailing list