For a simple LAMP setup, what's the most secure way to handle file ownership of the /var/www directory (or sub-directories)?
Apache runs as www-data, so if it's the owner it will have write access. This is probably a bad idea, however makes it convenient for file uploads.
If they are owned by root, are there any security issues involved?
Does it make sense to have each user be the owner of their /var/www/site folder? (I realize that ~/public_html is the right way to do this, however having all web content under /var/www/ makes it easy to see what sites are currently running on the server)
Best Answer
There should be no issues with the contents being owned by root provided that they are readable by the httpd user.
User stuff should go under
/srv, not/var/www. They can own their code and data under there.