1

After building a LAMP stack, it's my understanding that Apache creates a www-data user. But you can't directly log in as www-data (security reasons). Instead, if you want to do something as www-data then you have to run this:

su -s /bin/bash www-data

I can live with that. But I have 2 questions:

  1. What do you do, when you want to upload files via FTP? Currently, I have to FTP as a root user and then chown the files back to www-data after the upload. I run Magento, and that setup insists that I only give the owner permissions to write. Otherwise, I'd just give write access to group.
  2. What do you do, when you want to allow a non-root user to su as www-data? Because if you run su -s /bin/bash www-data as a normal user, then they see This account is currently not available.
Improve this question
1
  • www-data is the default user for the Debian/Ubuntu packages. RHEL/CentOS uses a user called apache. Apache httpd lets you configure this how you want, and the distros have significantly different default configs.
    – John Mahowald
    Commented Sep 12, 2018 at 13:00

1 Answer 1

Reset to default
2

it's my understanding that Apache creates a www-data user

No. Most package management systems will create a user when deploying the software.

you can't directly log in as [that user]

Yes - as you say that's commonly done for security reasons.

you have to ... su -s /bin/bash www-data

If the system is configured in such a way as to allow this - sometimes even this is disabled.

What do you do, when you want to upload files via FTP?

You work out a permissions model which allows the relevant users to deploy and modify files and the webserver uid to read those files. In very rare and controlled cases you configure locations outside the document root the webserver uid can write to.

On every webserver I have configured, the webserver uid is the least privileged account, so I've granted it read access via the "other" permission slot, e.g.

  colin@animal /var/www/html $ ls -l
  total 28
  -rw-rw-r-- 1 colin webdev  11321 Dec 27  2016 index.html
  drwxrwsr-x 2 colin webdev   4096 Jan 10  2017 session
  -rw-rw-r-- 1 colin webdev    148 Feb 18  2018 login.php
  drwxrwsr-- 1 colin grafx    4096 Jan  9  2017 images
  -rw-rw-r-- 1 colin grafx    8334 Jul  4 21:59 logo.png

Permissions are the means by which you share access, not deny access.

allow a non-root user to su as www-data

I don't. It should never be necessary.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .