www-data is safe or not

For security.

The files are not world writeable. They are restricted to the owner of the files for writing.

The web server has to be run under a specific user. That user must exist.

If it were run under root, then all the files would have to be accessible by root and the user would need to be root to access the files. With root being the owner, a compromised web server would have access to your entire system. By specifying a specific ID a compromised web server would only have full access to its files and not the entire server.

If you decide to run it under a different user ID, then that user would need to be the effective owner of the files for proper privileges. It could be confusing to have personal ownership of system-wide files to your personal account.

Creating a specific user would make it easier to recognize the files and consistent to recognize which ID to chown to new files and folders added to the site.

The Userid or Name of the owner doesn’t matter. Whatever is chosen or decided upon will have to be configured in the web server configuration files.

By default the configuration of the owner is www-data in the Ubuntu configuration of Apache2. Since that is the default configuration, you conveniently know the ownership needed for your web files. If you change it, you would have to change the files in your site to match.

Important

It’s not a good idea to have write permissions on the entire folder, the most websites (for example: wordpress, joomla and magento) needs write permission on specific folders (image upload, file upload) A better way is to give write permission on folders and do not allow script (PHP, python) execution, always check if the user is uploading the right content, example, if you website allow an user to upload an image as it avatar, check if it is an image and not a fake image with PHP script inside. And the problem to have write permissions on the website root is if someone finds an vulnerability he could use that to write a new index.php file and ‘hack’ your website.



Leave a Reply