Well, you can look in /etc/group to see which groups _www belongs in:

$ grep _www /etc/group
_www:*:70:_devicemgr,_teamsserver

On a properly configured server, the whole point of running the web server as a dedicated user is to limit that user’s privileges elsewhere. However, web application code which accesses the filesystem is capable of reading outside the server’s DocumentRoot.

Therefore, any file not owned by _www but for which it has read permissions and execute on the file’s parent directory could in theory be read by _www if the application code doesn’t protect against that while reading the filesystem. Likewise, files on the filesystem which are other-writable could be modified by the web server if the application code provides access to them.

Such issues are exploitable when an application uses user input to generate a file path for reading or writing, but fails to guard against input like : ../../../../../../../../../ which, when possibly coupled with a NULL byte injection could produce filenames in the application like

/www/application/phptemplates/../../../../../../../../../../etc/passwd

Of course, on a modern system, /etc/passwd doesn’t actually store passwords, but it may reveal local users and other valued info to a potential attacker.