fcgid/mod_fcgi and suexec and permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

How do I configure apache to allow PHP scripts write access to a
document root without compromising security?

I have a fedora29 system with php-7.2.13 and trying to get joomla
installed properly and having some trouble. I'm an experienced Linux
admin, but I'm not very familiar with php applications and how to
manage permissions of them. I don't entirely understand the
relationship between php, apache, and mod_fcgi. I fully understand how
filesystem permissions and ownership works.

I have all files at 644 and all directories at 755 in the document
root, owned by my ftpuser account. selinux is disabled because this
server does so much other stuff.

The problem is that joomla fails to run properly because the document
root isn't entirely owned by the apache user. What is the best method
for managing permissions with apache so we don't have to have all
files owned by the user which is running the apache process?

I'm also confused on the relationship between mod_fcgid, fpm-fcgi and
suexec. I've configured php-fpm and mod_fcgid according to this doc
(and others):
https://wiki.archlinux.org/index.php/Apache_HTTP_Server#Using_php-fpm_and_mod_proxy_fcgi

I've also set SuexecUserGroup to the user I'd like to use for ftp/sftp access:

   SuexecUserGroup ftpuser ftpuser

but I don't understand how that ties in with the filesystem and
allowing apache to write the joomla files it needs, like the cache
directory and perform extension updates, while also allowing access to
the ftpuser to read and write the same files.

I believe I want to use mod_fcgi instead of loading PHP into apache
directly with mod_php. Do I need to create a wrapper script, or is one
already included with fedora?

It appears fedora is already loading php7_module with the php package.
Do I need to disable that prior to using mod_fcgid?
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux