please respond to the list too, well i CC the list now offlist thanks are nice but does not change that some people including list-owners still insists that i am only an asshole because i use clear language and answers with knowledge will never compensate a few hot-blooded from time to time and that is why i respond with the user in CC and not only to the list and i will continue act this way until the hell freezes over instead see respones days later one additional thing to the last reply: >> For clarification, can the temp/cache folders be subdirectories of the >> DocumentRoot or should Apache never be able to write any file it could >> potentially serve? > > it does not matter at the end of the day belongs to the question subdirectories of docroot or not > Apache never be able to write any file it could potentially serve? is clearly the point *yes* and that includes files directly served as well as parts of the application itself Am 14.09.2013 22:44, schrieb Matthew J. Roth: > Harald, > > I hope you don't mind that I'm responding off-list, but I just wanted to thank you for the insightful responses. > It's a pity that nobody else will see them until your messages pass moderation because they (as usual) > contain very valuable information. Meanwhile, others are free to use the list like their personal blog or to > provide cryptic answers that look more like riddles. > > I understand what you're saying and think that Tim's statements may just be confusing. Hopefully, he'll reply and clarify his meaning. > > Thanks, > > Matt > > ----- Original Message ----- > From: "Reindl Harald" <h.reindl@xxxxxxxxxxxxx> > To: "Matthew J. Roth" <mroth@xxxxxxxxxx> > Cc: "Community support for Fedora users" <users@xxxxxxxxxxxxxxxxxxxxxxx> > Sent: Saturday, September 14, 2013 4:05:21 PM > Subject: Re: installiing joomla > > Am 14.09.2013 21:42, schrieb Matthew J. Roth: >> Reindl Harald wrote: >>> >>> it's not a matter of the distribution set permissions wise and only >>> allow the apache user write access where it is really needed >>> >>> teh document root is *not* such a place >>> temp/cache folders of a web-application are >> >> For clarification, can the temp/cache folders be subdirectories of the >> DocumentRoot or should Apache never be able to write any file it could >> potentially serve? > > it does not matter at the end of the day > > in a perfect world you even have no phpincludes below the docroot > in most environments it will not be possible to do sou for some > hundret vhosts > >>> in the best case *any* available permission system denies *anything* which is >>> not needed for normal operations and if you need to allow whatever you need >>> to do this for all possible involved subsystems - from security point of view >>> it's easy. if one of the subsystems fails or is configuerd unsafe like >>> "chmod -R 777" the other one makes this mindless acting less critical >>> >>> in doubt there is not "this or that is better", in doubt you want as much >>> security layers as possible: iptables, mod_security, filesystem perms and >>> as last resort SELInux - they are finally adaptive and depending on whatever >>> a bad guy try to do on a server different layers may stop him, in the best >>> case the first and finally the last ressort >> >> In general, I understand layered security and the principle of least privilege. >> It's just that Tim's statements: >> >> If it's possible for Apache to write to the webspace, because it's foolishly >> owned by the apache user, your system is just ripe for being exploited. > > the document root itself is not the real problem > > the problem is that a fool gives apache write-permissions to php-scripts > and the smallest security hole after that can place code in your application > > well, put bad code in new files inside the document root by the > wep-application and send phishing mails to the URL is not that fine > > that is why any web-application written with brain has it's templates, > caches, temporary files in folders which are the only writeable by the > webserver and enforces rules *never ever* deliver anything from > these directories to a borwser (.htaccess, <Directory..>) > > and if possible includes are also in a seperated folder *not* directly > accessable by a client, outside the docroot or access to the folder denied > is a implementation detail which does not matter > >> and: >> >> For those things that need write access to the files (such as web >> blogging where the author will add to the blog by writing through the >> webserver, or a plethora of other web services), then some other method must >> be used than chowning them to apache. >> >> leave me wondering what that "other method" would be. > > the above makes *no sense* > > if the question is "apache needs to write" it doe not matter > if it's owner, group or everybody-RW access > >> In other words, if a "plethora of other web services" require write access to >> the webspace then there must either be commonly used methods to securely provide >> that functionality or a plethora of systems that are "just ripe for being >> exploited". If it's the former, I want to know what those methods are. > > put files where the application needs write access in seperate folders > if the application needs RW access everywhere throw the broken application > away because broken-by-design is not fixable
Attachment:
signature.asc
Description: OpenPGP digital signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
