www-data is the user (and also group) that the service httpd (apache) is acting with on your system.
---
www-data
Some web servers run as www-data. Web content should not be owned by this
user, or a compromised[缺乏免疫力的] web server would be able to rewrite a web site. Data
written out by web servers will be owned by www-data.【这么理解: 可读权限,就是去读,但不能写,如果服务器有写的权限,那服务器就有可能被人利用网文件里写东西,后果不敢设想.】
-------------
The files are not world writeable. They are restricted to the owner of the files for writing.
The web server has to be run under a specific user. That user must exist.
If it were run under root, then all the files would have to be accessible by root and the user would need to be root to access the files. With root being the owner, a compromised webserver would have access to your entire system. By specifying the specific ID a compromised server would only have full access to the server.
---