92

I'm working through How To Serve Django Applications with uWSGI and Nginx on Ubuntu 16.04. At the end of the "Create a systemd Unit File for uWSGI" in the article they discuss the www-data user. What is this and why is it important?

David Foerster
  • 35,754
  • 55
  • 92
  • 145
user1592380
  • 1,833
  • 5
  • 26
  • 31

2 Answers2

82

For security.

The files are not world writeable. They are restricted to the owner of the files for writing.

The web server has to be run under a specific user. That user must exist.

If it were run under root, then all the files would have to be accessible by root and the user would need to be root to access the files. With root being the owner, a compromised web server would have access to your entire system. By specifying a specific ID a compromised web server would only have full access to its files and not the entire server.

If you decide to run it under a different user ID, then that user would need to be the effective owner of the files for proper privileges. It could be confusing to have personal ownership of system-wide files to your personal account.

Creating a specific user would make it easier to recognize the files and consistent to recognize which ID to chown to new files and folders added to the site.

The Userid or Name of the owner doesn't matter. Whatever is chosen or decided upon will have to be configured in the web server configuration files.

By default the configuration of the owner is www-data in the Ubuntu configuration of Apache2. Since that is the default configuration, you conveniently know the ownership needed for your web files. If you change it, you would have to change the files in your site to match.

I don't run Nginx, but since it's in the Ubuntu repository, I'm sure it has been tested with the www-data configuration as default.

Ludovic Kuty
  • 468
  • 4
  • 9
L. D. James
  • 24,768
  • 10
  • 68
  • 116
  • 1
    btw, what is a 'specific id' ? – user1592380 Jan 19 '17 at 17:11
  • 2
    It's `www-data`. That is why as in your question, they asked you to create the userID and groupID if it doesn't exist. The Apache2 installation automatically creates the user. I'm not sure about **Nqinx**. You can check to see if it exist with: `iid -u www-data&&id -g www-data`. If it exist it will show you the id number of the user and group. By default on Ubuntu the user and group numbers are `33`. – L. D. James Jan 19 '17 at 17:31
  • 1
    Putting `www-data` in as the owner can also be a security risk as mentioned in the `base-passwd` documentation (see @muru's answer), as owners typically have read/write access to all web-serving content. You could remove write access to the `www-data` owner, or use a different owner. `www-data` definitely needs read-access to all data to be served, but to if you only give the permissions needed for each file and directory, and not more, you will be more secure. – Yuval Jan 29 '19 at 14:00
  • 1
    found the `www-data` group name using these args `cat /etc/group | grep www-data` – noobninja Apr 12 '20 at 20:12
44

www-data is the user that web servers on Ubuntu (Apache, nginx, for example) use by default for normal operation. The web server process can access any file that www-data can access. It has no other importance.

From the base-passwd documentation (/usr/share/doc/base-passwd/users-and-groups.txt.gz):

Some web servers run as www-data. Web content should not be owned by this user, or a compromised web server would be able to rewrite a web site. Data written out by web servers will be owned by www-data.

Community
  • 1
muru
  • 193,181
  • 53
  • 473
  • 722