2013/12/30 Bob Proulx <b...@proulx.com> > Jerry Stuckle wrote: > > Raffaele Morelli wrote: > > > Again, the www-data user can safely be the owner of everything in the > > > webroot, just think of phpmyadmin, there's nothing unsafe in www-data > > The default for phpmyadmin is that the files are owned by root not > www-data. If they were owned by www-data then they would be unsafe. > (If, and this is a hypothetical if, you told me the files were owned > by a special phpmyadmin-data account, then I would say okay too. > Because that is a different user from the www-data user.) >
phpmyadmin files can be safely owned by www-data with NO write permissions and you should explain why they are not. > > > > being the owner because it's an app, same apply eg. for drupal where a > > > user might be allowed to write his own module and be the owner while > > > www-data has group access r-x permissions. > > > > No, the Apache user should NEVER have write access to the > > files/scripts it can execute. The is a huge security hole. Even > > Drupal recommends this - see https://drupal.org/node/244924. > > Agreed. However I believe many web frameworks require that in order > to operate. Which is why we keep hearing about exploits happening to > those frameworks every other month. They are ripe for expoitation. > > > Yes, this causes a problem with Drupal 7 being unable to update it's > > own modules. But you can't have both. I'd rather have security. > > Me too! > Unless you prefer to be stucked with that root user ownership stuff you can have both (updates and security) and it's quite simple: just use unprivileged users as owners and vsftpd chrooting to allow modules updates. Just wrote it once, but it's worth repeating. > > Unfortunately others like it to be all of viewed from the web, > installed from the web, upgraded from the web, managed from the web. > And there lies the problem. > > > > Having user files owned by root means they can only be edited by > > > root (unless you extend the group permissions - in which case > > > www-data can also change the permissions). And you should only use > > > root when you need to change system configurations, update packages, > > > etc. Not for general user file editing. > > Agreed. > > Bob >
