sczl

What is the www-data user?

I’m working through How To Serve Django Applications with uWSGI and Nginx on Ubuntu 16.04. At the end of the “Create a systemd Unit File for uWSGI” in the article they discuss the www-data user. What is this and why is it important?

Posted

in

by

sczl

Tags:

Comments

2 responses to “What is the www-data user?

  1. sczl Avatar
    sczl

    For security.

    The files are not world writeable. They are restricted to the owner of the files for writing.

    The web server has to be run under a specific user. That user must exist.

    If it were run under root, then all the files would have to be accessible by root and the user would need to be root to access the files. With root being the owner, a compromised web server would have access to your entire system. By specifying a specific ID a compromised web server would only have full access to its files and not the entire server.

    If you decide to run it under a different user ID, then that user would need to be the effective owner of the files for proper privileges. It could be confusing to have personal ownership of system-wide files to your personal account.

    Creating a specific user would make it easier to recognize the files and consistent to recognize which ID to chown to new files and folders added to the site.

    The Userid or Name of the owner doesn’t matter. Whatever is chosen or decided upon will have to be configured in the web server configuration files.

    By default the configuration of the owner is www-data in the Ubuntu configuration of Apache2. Since that is the default configuration, you conveniently know the ownership needed for your web files. If you change it, you would have to change the files in your site to match.

    I don’t run Nginx, but since it’s in the Ubuntu repository, I’m sure it has been tested with the www-data configuration as default.

    Reply
  2. sczl Avatar
    sczl

    Putting www-data in as the owner can also be a security risk as mentioned in the base-passwd documentation (see @muru’s answer), as owners typically have read/write access to all web-serving content. You could remove write access to the www-data owner, or use a different owner. www-data definitely needs read-access to all data to be served, but to if you only give the permissions needed for each file and directory, and not more, you will be more secure. – 
    Yuval
    Jan 29, 2019 at 14:00
    1
    found the www-data group name using these args cat /etc/group | grep www-data – 
    noobninja
    Apr 12, 2020 at 20:12

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *