Standard user and standard directory for webservers

hightower · 2006-12-18 13:52:22

Hallo,

has Arch a special "www" user for webservers and/or a special directory for the data served by webservers?

And if not, do you think it's usable to have both (or at least a standard user)?

Concerning the directory, I found this recommendation in the FHS:

/srv : Data for services provided by this system
Purpose
/srv contains site-specific data which is served by this system.
This main purpose of specifying this is so that users may find the location of the data files for particular service, and so that services which require a single tree for readonly data, writable data and scripts (such as cgi scripts) can be reasonably placed. Data that is only of interest to a specific user should go in that users' home directory.
The methodology used to name subdirectories of /srv is unspecified as there is currently no consensus on how this should be done. One method for structuring data under /srv is by protocol, eg. ftp, rsync, www, and cvs. On large systems it can be useful to structure /srv by administrative context, such as /srv/physics/www, /srv/compsci/cvs, etc. This setup will differ from host to host. Therefore, no program should rely on a specific subdirectory structure of /srv existing or data necessarily being stored in /srv. However /srv should always exist on FHS compliant systems and should be used as the default location for such data.
Distributions must take care not to remove locally placed files in these directories without administrator permission. [20]

[20] This is particularly important as these areas will often contain both files initially installed by the distributor, and those added by the administrator.

hightower

STiAT · 2006-12-18 14:12:45

On arch, apache runs as nobody:nobody by default.

Actually, it's all about the apache configuration, not an arch configuration issue.

If you want apache to run as a seperate user, create one with the wanted permissions, edit your httpd.conf and set

User apache
Group apache

if the user created is apache with the primary group apache.

The standard directory configured for apache in arch is /home/httpd

If you need more directories for providing different services for different users, you should think about vhosts.

// STi

ralvez · 2006-12-18 15:41:14

I'm not sure I understand your question a 100% but let's see if I get it right.
Arch has a directory for serving web pages it is: /home/httpd/html
That's where the default index.html, when you just got Apache running, resides.

If you wish to run web pages as a user, in other words, give users the ability to have their very own area to run web pages, then you must customize the /etc/httpd/conf/extra/httpd-userdir.conf file.

By default it allow your users to run a personal web site by creating a /home/<your_id>/public_html/ directory, which can be accessed via:
http://127.0.0.1/~<your_id>/ in a web browser.

As per the default user this is what apache states:

 User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User nobody
Group nobody
</IfModule>
</IfModule>

In other words, anyone accessing pages in the web directory inherits those permissions essentially read (and sometimes, with some files execute) but that's about it.

Hope this helps.

Rick

hightower · 2006-12-18 17:27:33

Hi,

ok perhaps I should've better explained my question. Recently I made a PKGBUILD for hiawatha, a webserver, and I came across the issue that every webserver out there uses its own user (for example: lighttpd -- > lighttpd, apache --> nobody) and the directory the program uses are different.

It's not about setting up a web hoster or anything other practical issues but about a convention about the user (uid) and the directory for the webserver process.

I image that there could be a user like "www" which is used by apache, lighttpd and all the other webservers out there, and perhaps a standard directory.

I found this discussion in the mailing list:
http://www.archlinux.org/pipermail/arch … 04480.html (Part 2 is the interesting one)

hightower

ralvez · 2006-12-18 17:36:38

I see. I think that you may be facing a problem. Apache allows for configuration of the "default" www directory. Some distros use /var/www, others (like Arch) use a different directory.
The user "nobody" is common to all distros and should not be a problem.
As far as I know there is not "standard" directory for the web server root in all distributions.

R

hightower · 2006-12-18 18:34:25

As far as I know there is not "standard" directory for the web server root in all distributions

Do you (@all) think a "standard" directory would be a good idea at least for Arch Linux? (-> Arch Packaging Standards)

"nobody" user:

daemon: Some unprivileged daemons that need to write to files on disk run as daemon.daemon (e.g., portmap, atd, probably others). Daemons that don't need to own any files can run as nobody.nogroup instead, and more complex or security conscious daemons run as dedicated users. The daemon user is also handy for locally installed daemons

nobody, nogroup: Daemons that need not own any files run as user nobody and group nogroup. Thus, no files on a system should be owned by this user or group.

Taken from "Securing Debian Manual"(Chapter 12.1.12.1)

This definition contradicts the use of "nobody" as a webserver user because webservers usually own data, at least as far as I know ;-)

hightower

byte · 2006-12-19 07:22:23

If you are concerned about security, run each and every daemon under it's own uid and group, simple.
OpenBSD is the prime example for this: http://www.openbsd.org/cgi-bin/cvsweb/s … web-markup

Arch is very far from being a server distribution, at least with the default packages.

_alexmyself · 2008-01-11 00:29:50

hello,

i've not use phpmyadmin last months and today need it, but only stay config.inc.php in
/home/httpd/html/phpmyadmin
so apache just list the directory and can't let myadmin do his job anymore

problem is that apache conf just let it go and live in /home/httpd/html
and php conf don't know more about /srv
and i'm happy with those limited areas
is the /srv idea really needed ?

myadmin is just a php site like many others in /home/httpd/html, so why ?
tomcat for example have his own directories and i can understand that, it's different of apache primary role (read i don't know about java and i don't want

what do you think about phpmyadmin go back to /.../html ?
and if you like the /srv how to make phpmyadmin running well ?

quad3d@work · 2008-01-11 06:00:32

_alexmyself wrote:

hello,
i've not use phpmyadmin last months and today need it, but only stay config.inc.php in
/home/httpd/html/phpmyadmin
so apache just list the directory and can't let myadmin do his job anymore
problem is that apache conf just let it go and live in /home/httpd/html
and php conf don't know more about /srv
and i'm happy with those limited areas
is the /srv idea really needed ?
myadmin is just a php site like many others in /home/httpd/html, so why ?
tomcat for example have his own directories and i can understand that, it's different of apache primary role (read i don't know about java and i don't want

what do you think about phpmyadmin go back to /.../html ?
and if you like the /srv how to make phpmyadmin running well ?

[terii@monkey1 /etc/php]$ cat php.ini|grep ^open_base
open_basedir = /home/:/tmp/:/usr/share/pear/:/srv/www/

Make above changes to your php.ini and restart Apache.

thisllub · 2008-01-11 06:30:08

I prefer /var/www because I mount a separate partition on var.
/srv is equally valid.
I also have a predefined user for apache.

I build apache on all my servers because I need to tune it.
If you build Apache with default options it will install in /usr/local/apache

_alexmyself · 2008-01-11 11:51:32

hello,
thanks for answers

i've cp /srv/www/phpmyadmin/* to home/httpd/html/phpmyadmin and it runs
but next update will broke that

for php.ini why not, the /srv/www dir could be added to default conf in the pkgbuild, i think, so php could handle the /srv stuff
but for apache the conf is: DocumentRoot "/home/httpd/html"
symbolic links are supported but could this help ?

oh and sorry for my language..i try..

open a new thread here: http://bbs.archlinux.org/viewtopic.php?id=42126

Last edited by _alexmyself (2008-01-11 12:06:10)

cactus · 2008-01-11 17:00:35

php apps *should not* be managed with a package manager in my opinion.
You should handle the download and installation of php web apps yourself.

_alexmyself · 2008-01-11 17:57:33

why did you say that ?
install via pacman is nice, are those kind of packages causes problems ?

High|ander · 2008-01-31 22:26:33

Because most of the PHP applications needs to run custom scripts to update their DB tables, or patch some files in every release. That is hard for a maintainer to mantiain in every release.

Arch Linux

#1 2006-12-18 13:52:22

Standard user and standard directory for webservers

#2 2006-12-18 14:12:45

Re: Standard user and standard directory for webservers

#3 2006-12-18 15:41:14

Re: Standard user and standard directory for webservers

#4 2006-12-18 17:27:33

Re: Standard user and standard directory for webservers

#5 2006-12-18 17:36:38

Re: Standard user and standard directory for webservers

#6 2006-12-18 18:34:25

Re: Standard user and standard directory for webservers

#7 2006-12-19 07:22:23

Re: Standard user and standard directory for webservers

#8 2008-01-11 00:29:50

Re: Standard user and standard directory for webservers

#9 2008-01-11 06:00:32

Re: Standard user and standard directory for webservers

#10 2008-01-11 06:30:08

Re: Standard user and standard directory for webservers

#11 2008-01-11 11:51:32

Re: Standard user and standard directory for webservers

#12 2008-01-11 17:00:35

Re: Standard user and standard directory for webservers

#13 2008-01-11 17:57:33

Re: Standard user and standard directory for webservers

#14 2008-01-31 22:26:33

Re: Standard user and standard directory for webservers

Board footer