Re: installiing joomla

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Am 14.09.2013 20:40, schrieb Matthew J. Roth:
> Reindl Harald wrote:
>>
>> www-data is *debian* because on Redhat the user/groups is named "apache"
>> if you use google add your distribution to the search string!
> 
> Please explain how the specific user Apache is running as is relevant

"chown www-data" and "chgrp www-data" will not work on Redhat

> Is it only an indicator of the distribution the example is based on?  

it si simple: the same command may have differnt params on different distributions
see above

> If so, are you saying that distributions without SELinux support cannot securely 
> allow Apache to write files within DocumentRoot.

it's not a matter of the distribution set permissions wise and only
allow the apache user write access where it is really needed

teh document root is *not* such a place
temp/cache folders of a web-application are

>> besides that there a *two* levels to care: FS-permissions *and* SELinux
>>
>> chown apache:apache /path/to/folder/
>> chmod 770 /path/to/folder/
>>
>> http://david-latham.blogspot.co.at/2008/08/allow-httpd-apache-to-write-to-files.html
> 
> Are you saying to all Apache write access, but to use SELinux to limit the
> directories and files it can update?  That sounds reasonable to me, but I get the
> impression that Tim had something else in mind from his very specific statement

i say not more and not less that you can set filesystem permissions to whatever
you want if the SELinux context doe snot allow it

SELinux is a *additional* security subsystem

in the best case *any* available permission system denies *anything* which is
not needed for normal operations and if you need to allow whatever you need
to do this for all possible involved subsystems - from security point of view
it's easy. if one of the subsystems fails or is configuerd unsafe like
"chmod -R 777" the other one makes this mindless acting less critical

in doubt there is not "this or that is better", in doubt you want as much
security layers as possible: iptables, mod_security, filesystem perms and
as last resort SELInux - they are finally adaptive and depending on whatever
a bad guy try to do on a server different layers may stop him, in the best
case the first and finally the last ressort

the goal is making attacks as hard as possible because a attacker needs
to trick around all the secuity layers and may seek a easier target if
it takes too much time/energy to bypass all of them



Attachment: signature.asc
Description: OpenPGP digital signature

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux