What user should own /var/www on Ubuntu 9.04 Server?
I've got LAMP on Ubuntu 9.04 Server and the default installation has root:root owning the /var/www folder. I discovered this when another service, Hudson, could not write to that directory. I want my hudson user to have permission to write to /var/www. So, should www-data user be the owner of /var/www and hudson be a member of www-data group OR should I go with the default user and group and make hudson a member of root? The latter seems wrong. So that brings up the question, what user should own /var/www? (And for those with much more experience than I, given this scenario, is there something even better than the two solutions I've seen?)
So, should www-data user be the owner of /var/www
Why is the apache process run by www-data, but the /var/www owned by root? Is there some risk to making www-data own the folder and run the process?
Your web server is running as www-data. If apache has the ability to write to /var/www and you have configured something incorrectly, or your running a buggy web application, or apache itself has an exploitable bug, then an evil person on the Internet would be able to write things to /var/www. Whenever possible you should always give service accounts the least privileges they need to operate.
is there something even better than the two solutions I've seen?
Create a new group, and change the ownership of the /var/www to root:group. Add all user that need to publish to that folder to the group. You might also want to mark the folder with the setgid bit and adjust the umask of your users so anything they write to this folder will be writable by anyone else in that group.