4.1 setgid and web servers

In most distributions, the web server (usually Apache) runs as its own user, www-data for Debian-based distributions. It is important that the web server does not run as root for security reasons.

If the web server permits users to have their own web content published, this www-data user poses some interesting issues. In order for the web server to be able to access a user’s web content, there are a few options.

• Set files to o+r and directories to o+rx. This approach makes files visible to everyone. Note that in order to access files in a user’s public_html folder, it also means that the home folder itself also needs the same permissions. While this approach is easy to implement (most distributions set permissions like this by default), it also means that there is no privacy. Every user can see the web files of other users. In this case, the web server accesses web files as “others” since www-data is neither the group owner nor the user owner of the files.
• Set files to o-r, directories to o-rx. Change group ownership of the home folder and public_html to www-data, and set g+s on public_html before any file or subdirectories are created in public_html. This approach lets the web server access web files as the group owner of the files. Note that this approach prevents users from seeing each other’s files.