> So we should have a WWWAPPS_USER, and make sure that the web servers > are set up by default to switch to it when needed? There are programs > that need read-write files and directories and expect to own them; > having these files owned by the apache/nginx user (and the apps > running as that user) isn't a great idea. > > Miscellaneous readonly files should be owned by root though. Well, drupal and wordpress are probably good examples for what you describe. They have parts that can be owned by root, but read-only accessible to the web-server, and parts that need to be read-write accessible to the web-server or whatever runs PHP (in case of drupal/wordpress). As far as I understand pkgsrc, it should be no real problem to have the correct mode and ownership set, it's just a matter the maintainer has to implement properly. As ROOT_USER is available already, something like your WWWAPPS_USER could be introduced for those special parts. However, as Joerg already pointed out in a differen part of the thread, this only works properly as long as something else but apache is used. mod_perl, mod_php, mod_whatever run as the same user as the apache - naturally, as it's the same process. But, of course, in those cases, WWWAPPS_USER can be set to APACHE_USER. You will still have the separation of ROOT_USER owned files vs WWWAPPS_USER, but WWWAPPS_USER will be the same as WWW_USER, because that's APACHE_USER. Volkmar -- http://www.dimensionv.de/ http://tech.nifelheim.info/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - OpenPGP Fingerprint: E03D 33DB B409 2E99 C2DA 7D64 145F 0A76 D252 7078 Key: http://www.dimensionv.de/pgp (+ all public key-servers) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Attachment:
pgp28QAfW_Jok.pgp
Description: PGP signature