Apache2 UserDir defaults to User www-data

Bug #614195 reported by Xeno Campanoli on 2010-08-06
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: ubuntu-docs

When using UserDir directive on Apache2 on CentOS, you get access to the directories as THAT USER, but on Ubuntu Server it is stupidly set up as www-data. This is completely contrary to what most people will ever want if they actually set up UserDir, which is designed for user specific accounts and access to public_html, not for central access. Please fix this. It is the wrong wrong wrong configuration default.

Matthew East (mdke) on 2010-08-09
affects: ubuntu-docs (Ubuntu) → apache2 (Ubuntu)
Dave Walker (davewalker) wrote :

Hi Xeno,

Please can you clarify why this is an issue; is it presenting as a problem when using dynamic content, such as PHP?

Thanks.

Changed in apache2 (Ubuntu):
status: New → Incomplete
Adam Conrad (adconrad) wrote :

UserDir is meant specifically to allow read access to ~/public_html, which it does just fine in the Debian/Ubuntu setup. Perhaps you're confusing it with suEXEC? I would consider it pretty non-intuitive to blindly enable suEXEC (a potentially large security risk, if people don't understand it) just because people want to serve content from public_html.

Laurent Dinclaux (dreadlox) wrote :

I faced the problem with wordpress installation in userdir. As the user as no permissions on that dir, PHP scripts can't write files to that dir. For example Worpdress can't create its configuration file on install, or install extensions.

This is bad....

My solution is to add 'my_user' to www-data group and to:

# sudo chmod -R 770 public html
# sudo chown -R my_user:www-data public html

This has to be done anytime 'my_user' adds or edits a php file in public_html. This is tedious and should be fixed as soon as possible.

Changed in apache2 (Ubuntu):
status: Incomplete → Confirmed
Adam Conrad (adconrad) wrote :

Giving the web server (under www-data or any other user) complete write access to Wordpress is not a good idea, regardless. The installation docs even go in depth to tell you how to temporarily make the config file writeable (say, chmod 666 config.php) so you can run the config script, then tell you to undo that afterward.

Why do you think having write access to your scripts is a reasonable and "correct" setup that we should be shipping out of the box?

(Yes, sometimes you want an upload directory, tmp-style, for certain CMSes, again, you can chmod just those directories, no need to have your entire web root writable by a web server)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers