On 8/4/25 10:49 AM, David Runge wrote:
On 2025-08-04 09:17:21 (+0200), Robin Candau wrote:Somewhat related to your change, I think it would also be good to not run the PHP frontend as the http user [a], as the webserver runs as that.With nextcloud and other web applications we have also switched to separate users, but as this may require a bit more setup and change party, it's probably better to do this in a follow-up.Sure, I can take a look at that. Are their any expected impact for users regarding this transition? If so, maybe it should be shipped at the same time as the above change to group impactful changes in a single batch (while we are in the process of sending a news for it)?This usually means that a dedicated php-fpm or uwsgi config (or whatever people are using) needs to be created/adapted. For ease of integration, we have added a configuration for uwsgi in the nextcloud package, but not yet for php-fpm. Here, the custom ownership is also specifically limited to /etc, and everything below /usr remains root owned (with symlinks to e.g. cache or config directories). Some applications don't even need full ownership over their configuration files, as they only require read access (but that is really application-specific). FWIW, in this context it is questionable whether you would want to use the same system user (zabbix) for the PHP based frontend, too. I hope this helps somewhat to gain an overview. Best, David
Alright, thanks a lot for the pointers!As discussed together, the required changes are not trivial and require quite some testing. That doesn't feel like something I'll be able to work on in a timely manner right now, in case I wanted to add this to the current batch of changes.
So I'll keep it for a follow-up indeed!I may ping you for some questions / help when I start working on it though (if that's alright).
Thanks again for sharing some thoughts :) -- Regards, Robin Candau / Antiz
OpenPGP_0xFDC3040B92ACA748.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
