On 2025-08-04 09:17:21 (+0200), Robin Candau wrote: > > Somewhat related to your change, I think it would also be good to not run > > the > > PHP frontend as the http user [a], as the webserver runs as that. > > > > With nextcloud and other web applications we have also switched to separate > > users, but as this may require a bit more setup and change party, it's > > probably > > better to do this in a follow-up. > > > > Sure, I can take a look at that. > > Are their any expected impact for users regarding this transition? If so, > maybe it should be shipped at the same time as the above change to group > impactful changes in a single batch (while we are in the process of sending > a news for it)?
This usually means that a dedicated php-fpm or uwsgi config (or whatever people are using) needs to be created/adapted. For ease of integration, we have added a configuration for uwsgi in the nextcloud package, but not yet for php-fpm. Here, the custom ownership is also specifically limited to /etc, and everything below /usr remains root owned (with symlinks to e.g. cache or config directories). Some applications don't even need full ownership over their configuration files, as they only require read access (but that is really application-specific). FWIW, in this context it is questionable whether you would want to use the same system user (zabbix) for the PHP based frontend, too. I hope this helps somewhat to gain an overview. Best, David -- https://sleepmap.de
signature.asc
Description: PGP signature
