Jerry Stuckle wrote:
> Raffaele Morelli wrote:
> > Again, the www-data user can safely be the owner of everything in the
> > webroot, just think of phpmyadmin, there's nothing unsafe in www-data
The default for phpmyadmin is that the files are owned by root not
www-data. If they were owned by www-data then they would be unsafe.
(If, and this is a hypothetical if, you told me the files were owned
by a special phpmyadmin-data account, then I would say okay too.
Because that is a different user from the www-data user.)
> > being the owner because it's an app, same apply eg. for drupal where a
> > user might be allowed to write his own module and be the owner while
> > www-data has group access r-x permissions.
>
> No, the Apache user should NEVER have write access to the
> files/scripts it can execute. The is a huge security hole. Even
> Drupal recommends this - see https://drupal.org/node/244924.
Agreed. However I believe many web frameworks require that in order
to operate. Which is why we keep hearing about exploits happening to
those frameworks every other month. They are ripe for expoitation.
> Yes, this causes a problem with Drupal 7 being unable to update it's
> own modules. But you can't have both. I'd rather have security.
Me too!
Unfortunately others like it to be all of viewed from the web,
installed from the web, upgraded from the web, managed from the web.
And there lies the problem.
> > Having user files owned by root means they can only be edited by
> > root (unless you extend the group permissions - in which case
> > www-data can also change the permissions). And you should only use
> > root when you need to change system configurations, update packages,
> > etc. Not for general user file editing.
Agreed.
Bob