tim-moody
commented
7 years ago actually, I see that apache has no password, so creates a level of security, but /usr/sbin/nologin could be added as the shell. also id could be set to 48 for backwards compatibility
jvonau
on a fresh vm with debian jessie:
drwxr-x--- 2 www-data www-data 4096 Feb 1 14:18 awstats drwxr-x--- 18 proxy proxy 4096 Feb 1 13:57 cache drwxr-xr-x 4 www-data root 4096 Feb 1 14:13 dbdata drwxr-xr-x 7 www-data root 4096 Sep 29 2014 dokuwiki drwxr-xr-x 4 root root 4096 Feb 1 13:48 downloads drwxr-xr-x 2 www-data root 4096 Feb 1 14:02 elgg drwxr-xr-x 8 root root 4096 Feb 1 14:12 ka-lite drwxr-xr-x 3 apache apache 4096 Feb 1 14:07 knowledge drwxrwsrwx 9 www-data www-data 4096 Feb 1 14:06 moodle drwxr-x--- 3 www-data apache 4096 Feb 1 14:03 owncloud drwxr-xr-x 3 apache apache 4096 Feb 1 14:08 pathagar drwx------ 19 postgres postgres 4096 Feb 1 14:09 pgsql-xs drwxrwxrwx 2 smbuser smbuser 4096 Feb 1 13:58 public drwxr-xr-x 5 root www-data 4096 Feb 1 14:03 wordpress drwxr-xr-x 4 root root 4096 Feb 1 13:48 working drwxr-xr-x 3 root root 4096 Feb 1 13:48 www drwxr-xr-x 6 root admin 4096 Feb 1 13:59 xs-activity-server drwxr-xr-x 4 root root 4096 Feb 1 14:12 zims
apache is a user: apache:x:1001:1002::/home/apache:/bin/sh, but these should probably be www-data
further, one reason that people use apache in a redhat os is that it has no login, so provides some security in that apache's permissions can not be obtained by logging in as apache. but this apache has a home and shell declaration, so that security is defeated.
so, for example, apache is in the admin group to make xs-activity-server secure
is wordpress meant to have owner root and group www-data vs dokuwiki which is the reverse?
for comparision, here are the owners on a 6.1 centos install:
drwxr-xr-x 3 apache apache 4096 Feb 1 08:01 awstats drwxr-x---. 18 squid squid 4096 Jun 28 2015 cache drwxr-xr-x. 10 apache apache 4096 Nov 22 16:49 content drwxrwxr-x 4 apache root 33 Nov 10 07:32 dbdata drwxr-xr-x 7 apache root 4096 Sep 29 2014 dokuwiki drwxrwxr-x 7 root root 4096 Sep 29 2014 dokuwiki-2014-09-29 drwxr-xr-x 6 root root 4096 Nov 4 07:35 downloads drwxr-xr-x 4 apache root 49 Jul 1 2015 elgg drwxr-xr-x 3 root root 23 Dec 16 2015 hiiab drwxr-xr-x 2 root root 4096 Jan 24 2016 index_assets drwxr-xr-x 3 root root 52 Jan 15 2016 ka-content2 drwxr-xr-x 8 root root 4096 Oct 20 14:54 ka-lite drwxr-xr-x 3 root root 25 Aug 30 10:47 ka-lite.save drwxr-xr-x 8 root root 4096 Oct 20 15:52 ka-lite-test drwxr-xr-x 3 apache apache 20 Jun 23 2015 knowledge drwxr-xr-x 7 root root 138 Aug 16 09:20 modules drwxrwx--- 2 apache apache 6 Nov 10 07:30 moodle drwxr-x--- 3 apache apache 17 Jun 19 2015 owncloud drwxr-xr-x 3 apache apache 18 Jun 20 2015 pathagar drwx------ 19 postgres postgres 4096 Nov 10 07:45 pgsql-xs drwxrwxrwx 2 smbuser smbuser 6 Jun 19 2015 public drwxr-xr-x 4 root root 40 Jul 9 2015 rachel -rwxr-xr-x 1 root root 53 Jan 11 09:31 rsync-zims drwxr-xr-x 3 root root 17 Dec 29 2015 sugarizer drwxr-xr-x 4 sugar-stats sugar-stats 50 Jun 24 2015 sugar-stats drwxr-xr-x 2 root root 6 Jun 19 2015 users drwxr-xr-x 5 apache apache 4096 Jan 31 03:28 wordpress drwxr-xr-x 4 root root 30 Jun 27 2016 working drwxr-xr-x 8 root admin 124 Nov 21 2015 xs-activity-server drwxr-xr-x 6 root root 60 Jun 19 2015 xs-rsync drwxr-xr-x 4 root root 50 Jan 10 12:35 zims