Re: Apache should never be a mandatory dependency

[David Holland <dholland-pkgtech%netbsd.org@localhost>]

On Fri, May 16, 2014 at 05:25:16PM +0200, Volkmar Seifert wrote:
 > > > Any reason APACHE_USER/APACHE_GROUP and NGINX_USER/NGINX_GROUP must
 > > > differ? Some packages depend on apache and set
 > > > WWW_USER=APACHE_USER/WWW_GROUP=APACHE_GROUP, then set permissions
 > > > with WWW_USER/WWW_GROUP.
 > > 
 > > I think we should consolidate a WWW_GROUP, but not a user. It often
 > > makes sense to limit accessibility for the group, e.g. for FastCGI
 > > sockets. Nothing should run as the unprivileged web server user
 > > though.
 > 
 > Fair enough, though in order to prevent uncontrolled growth of users,
 > consolidating a WWW_USER isn't a bad idea, either.
 > Especially when it comes to web-applications, I wouldn't want them to
 > be owned by "root". The WWW_USER would be the expected user and safer
 > then root.
 > See my other emails for elaboration on a suggestion to a solution while
 > maintaining the possibility of customization by the user.

So we should have a WWWAPPS_USER, and make sure that the web servers
are set up by default to switch to it when needed? There are programs
that need read-write files and directories and expect to own them;
having these files owned by the apache/nginx user (and the apps
running as that user) isn't a great idea.

Miscellaneous readonly files should be owned by root though.

-- 
David A. Holland
dholland%netbsd.org@localhost