Hi, > Allegedly, on or about 12 January 2019, Alex sent: > > How do I configure apache to allow PHP scripts write access to a > > document root without compromising security? > > Files/directories have three permissions, the owner, the group, and > other users. Files should *not* be owned by Apache, nor writeable by > it, allowing Apache to write to them is a major security failure. > Apache reads and serves files using the other user permissions. Yes, that is my understanding as well. It's the apache configuration part I don't understand. > What *actually* will write to your files? Is it an Apache process, or > your script. Or, probably even better, having them owned an actual > user that logs in, even if through your scripting system (e.g. when I > edit files using VIM, they're owned be me, not the VIM program). It's joomla PHP scripts running through apache, and remote sftp users running as the user logging in. Changing the files to be owned by apache allows the joomla scripts to write (just to show joomla is still running under apache), but then it prevents any other user from being able to modify any of the same files. Of course I know I could add apache to the same group as the sftp user and chmod the files to group-writable, but the joomla recommendations are to have all the files 644 and directories 755. It complains (and some parts of it won't run) when permissions are other than 644 on files. > Hopefully it is not Apache, itself. They should be owned, or part- > owned (remember there's user and group permissions) by the user or > process that will actually update them. Back when I did this for apache-2.0, or perhaps even 1.3, we would set the directories sgid and use an sgid binary that would write the files. It appears that today the php-fpm or mod_fcgid modules does something similar by first sending the files through a proxy or external script to actually do the writing. I just don't understand how that all goes together, and there is no current fedora document that shows how to do it. > Disabling SELinux is usually a "throwing the baby out with the > bathwater" solution to a problem. Yes, perhaps, and I'd be all for configuring SELinux, but it's a nightmare to configure and maintain with a large system. I'm open to ideas. It does look like there is support for it with fedora, however: # ls -lZ /usr/sbin/suexec -r-x--x---. 1 root apache system_u:object_r:httpd_suexec_exec_t:s0 15816 Jul 20 06:30 /usr/sbin/suexec Also back when I did this like a decade ago (or longer?), spawning a new process for every write was avoided because of the overhead. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
