Am 02.12.2017 um 22:14 schrieb Nicolas Kovacs info@microlinux.fr:
Le 02/12/2017 à 10:30, Nicolas Kovacs a écrit :
==> Reminder: this is actually the question I'm asking in my post.
Oh, we all read (only) what we want :-)
So I'm finally coming to my question. How problematic is it really to
have the apache user and group owning the stuff under /var/www?
"problematic" should be defined by yourself (probability * impact = risk).
to answer lets use a comparison: the root user can write to all /bin/ files. Executing them will not change the binaries (in a perfect world). What happens when something tries to use this fact (write perm) to do malicious things? Therefore its good practice to work as "non-root" user. So, when the httpd user (web daemon) has full write permissions, what happens when something tries to use this fact (write perm) to do malicious things? Anybody that have an eye on the httpd logs knowns that the web is not a perfect world.
Not an direct answer because there is not an absolut one but I hope that I could express my point of view ...
-- LF