Package: php-htmlpurifier Version: 4.7.0-2 Severity: normal
Hi. /var/lib/php-htmlpurifier/Serializer/ is shipped with owners www-data:www-data which is quite unfortunate for any proper production setup where the PHP code should of course not run with the user/group of the webserver (and thus have full access to any other stuff served by such webserver). Especially it affects any PHP SAPI other than mod_php, which allow (or enforce) to run as a different user, just as it should be. Now this directory is apparently needed for operation of php-htmlpurifier, but write access will not work for users/group other than www-data. One way would be to use dpkg-statoverride, but that's IMHO also a bit limited. Could you possibly consider to go another way here? One, though I'm not sure whether this would work properly with php-htmlpurifier, is what the main PHP packages to with the session store (i.e. /var/lib/php/sessions in PHP 7.0), they simply have permissions drwx-wx-wt root:root, but of course that may not be safe, depending on how well htmlpurifier is programmed for that The other would be to not use www-data but e.g. root:<some special group>, and people could add those users who are allowed to write, to that group,... e.g. www-data, or cgi-suexec. Cheers, Chris.