Setting users GID to www-data, security question

Discussion in 'Server Operation' started by artomason, Aug 7, 2011.

  1. artomason

    artomason New Member

    Greetings,

    I have a LAMP Server running on Debian Squeeze. I'm currently configuring the adduser.conf file and creating a script to automatically add virtual hosts and users based on the virtual host, however I have some questions.

    Say the user in question is Joe and I don't want to give him his own GID instead I only want him to be part of the www-data group.

    If I add him ONLY to the www-data group and he does not have his own system group ie (Joe:Joe vs Joe:www-data) will this pose a security issue? I assume for compatibility reasons with ISPCONFIG3 I would have to set his shell to /bin/bash as well.

    Thanks

    PS - Sorry if this has been covered. I googled around and really couldn't find a plain text answer.
     
  2. falko

    falko Super Moderator ISPConfig Developer

    If Joe just belongs to the group Joe, he can read/write/execute all files that belong to the group Joe. If Joe is a member of the www-data group, he can read/write/execute all files that belong to the www-data group. If you have more than one web site (and not all are owned by Joe), and these web sites have files that belong to the www-data group, this can be a security issue (for example, if these files contain passwords, for MySQL, for example).
     

Share This Page