Permissions have always been a mystery to me. Especially when you toss in things like an 'httpd' user or a 'postgres' user. I've only ever been able to find explanations about what permissions are, but never a description of how and why modern use of *nix permissions work.
If anyone knows of a good place to look for information to help me understand users and permissions, especially in regards to modern web applications, I'd love to hear about it.
Separate users for separate daemons provides an informal "privilege separation." If apache starts misbehaving it will not be able to write to any of the files that belong to postfix.
What is it that you do not understand in regards to modern web applications?
It's not just apache misbehaving- it is in a similar vein to application jails. If someone hijacks the apache server, they cannot direct httpd to overwrite /etc/passwd or /etc/ssh/sshd_config.
(Jails are used because while httpd normally cannot overwrite those files, exploits crop up every now and again that allow privilege escalation; jails are an attempt to obviate that problem)
What a great post. You just confused the issue more and added nothing. I was trying to see if I could help explain the user permission model to the OP. Overwriting files is misbehaving doing anything but answering http requests is misbehaving.
Why complicate the issue with jails? User separation is in the same vein as user permissions, thats true. But they are hardly on the same plane. If someone is interested in understanding the basic u/g/w+chmod permissions model why would you bring up jails? Now there is twice as much to explain because you have one system+users running inside/ontop of another system+users.
Anyway breaking out of a chroot jail is not terribly hard if you have elevated priveleges above www-data inside of the chroot.
Hi, almost every post you have made in this thread has a disrespectful tone. please review what you're doing, avoid "...", don't be sarcastic, don't assume the other person is an idiot.
What a great post. You just confused the issue more and added nothing.
Oh good, a friendly one.
Why complicate the issue with jails?
Jails are very easy to understand. Once you understand jails, it should be an easy logical step to understand users/groups on a conceptual/purpose level, as they can be viewed as very sophisticated jails.
If anyone knows of a good place to look for information to help me understand users and permissions, especially in regards to modern web applications, I'd love to hear about it.