On Fri, Apr 17, 2009 at 8:30 PM, Jeff King <peff@xxxxxxxx> wrote: > repo and working tree are not owned by "william"? As long as www-data, > presumably the webserver could still serve it. Also, as long as they are owned by www-data, the setup is more vulnerable to security problems. Files served by Apache (or any other webserver) should _not_ be owned by the same user that the webserver runs under. The www-data ownership is exclusively for files that you expect the webserver to be able to _modify_: files uploaded by users, session data files, sqlite databases and such. You don't really want your webserver changing executable files such as PHP. It is a valid thing to create a user to own those files, and in servers where a team was maintaining the code, we have often used 'www-code'. cheers, m -- martin.langhoff@xxxxxxxxx martin@xxxxxxxxxx -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html