Web application package guidelines

For security reasons, every web application should be run as a separate (unprivileged) user (i.e. $pkgname).

Refer to the systemd-sysusers(8), sysusers.d(5), systemd-tmpfiles(8) and tmpfiles.d(5) man pages for details on how to create users and deal with ownership of files and folders for that user in a package.

The layout follows the FHS.

• /usr/share/$pkgname: The application's data directory holds the files of the web application. Files are owned by root and are therefore readonly to the application user and group $pkgname.
• /etc/$pkgname: The configuration directory of the application holds configuration files for the application (symlinked to the data directory). Files located here have to go to the backup array and are owned by the user and group $pkgname.

• : The runtime directory of the application (owned by the user and group $pkgname). It can be used for sockets (e.g. in setups facilitating socket activation).

• : The cache directory of the application (owned by the user and group $pkgname). It (or subfolders in it) is symlinked to the data directory for applications requiring writable cache directories.
• /var/lib/$pkgname: The persistent storage of the application (owned by the user and group $pkgname). It (or subfolders in it) is symlinked to the data directory for applications requiring persistent storage directories.