owner of dir/files
jez.hancock at munk.nu
Wed Nov 12 02:15:24 PST 2003
First of all please don't reply to an old thread when posting a new
topic - it messes the threading up and confuses things generally.
On Tue, Nov 11, 2003 at 09:58:20AM -0500, M.D. DeWar wrote:
> I just noticed that when I d/led a program and un-tarred it and set it up
> that the directory in the apache web root has
> as owner something like 501:www . I also noticed some others that were
> mysql:mysql or 500:100 for the user/group.
This happens when the owner:group on the source system don't exist on
the destination system. Say the owner of the files was 'mark' on the
original server and his uid was 501, but no user existed on your system
with uid 501, then the owner would show up just as the UID, in this case
> I am not sure what happens if left that way. Since there is no user/group
> for those does it mean the files won't run or be served ?
Depends on what the permissions of the 'other' bit are. For a file
that's owner:group is 501:www, permissions of 755 on the file
would mean the files would be read/write/executable (7) by the user with UID
501 - in your case noone has that UID so noone has rwx perms other than
root. Similarly the file would be read/executable (5) by the 'www' group
and read/executable (5) by the 'other' group.
So as it is the file would be served by the webserver since the 'www'
user has read/execute access. However it's not a good idea to leave files
unowned on the system in case you eventually do add a user with UID 501
- in which case they would end up getting rwx perms on the file.
If only the webserver will be accessing the file then you can generally
just do 'chown www:www <file>' to change the owner:group to www:www.
There are security implications of leaving files rwx by the www user,
especially if the file is a config file and you have other users on the
server that can run cgi scripts - the file could be overwritten by a
malicious script in that case. For config files it's best to set the
> In my web root should all directories and files be nobody:nobody ?
that could work, but only if the perms for 'other' are sufficient to
allow reading of the files - since the web user is in the other group
and needs to be able to read the file to be able to serve it via the
> what if some are root:wheel ?
The same holds again, although having files owned by root in a web
docroot isn't a great idea - if the file is a CGI script and a
vulnerability is found in the script and a misconfigured suexec system
is in place, commands could be executed with root permissions.
- System Administrator / PHP Developer
More information about the freebsd-questions