[pkg-lighttpd] Bug#573320: lighttpd: Don't run Lighttpd as www-data
Olaf van der Spek
olafvdspek at gmail.com
Thu Mar 18 06:43:23 UTC 2010
On Wed, Mar 17, 2010 at 7:23 PM, Marco d'Itri <md at linux.it> wrote:
> On Mar 10, Olaf van der Spek <OlafvdSpek at GMail.Com> wrote:
>> Would it be possible to start FastCGI processes via spawn-fcgi and to run Lighttpd as another user than www-data (maybe user lighttpd)?
>> I think this improves security as FastCGI processes can no longer touch Lighttpd (and it's log files).
> I believe that the correct solution would be to start the FastCGI
> processes as a different user (or multiple different users, e.g. one per
> web site or site component).
> This would not require changing the lighttpd default configuration.
There are packages like phpmyadmin that depend on www-data, so you
can't just change that.
The Lighttpd defaults have to change anyway as now it starts PHP itself.
More information about the pkg-lighttpd-maintainers