Tim: >> What *actually* will write to your files? Is it an Apache process, >> or your script. Or, probably even better, having them owned an >> actual user that logs in, even if through your scripting system >> (e.g. when I edit files using VIM, they're owned be me, not the VIM >> program). Alex: > It's joomla PHP scripts running through apache, and remote sftp users > running as the user logging in. Changing the files to be owned by > apache allows the joomla scripts to write (just to show joomla is > still running under apache), but then it prevents any other user from > being able to modify any of the same files. > > Of course I know I could add apache to the same group as the sftp > user and chmod the files to group-writable, but the joomla > recommendations are to have all the files 644 and directories 755. It > complains (and some parts of it won't run) when permissions are other > than 644 on files. Perhaps the question is more about *who* should own the files, rather than the permissions. e.g. https://www.google.com/search?q=what+user+should+own+joomla+files https://joomla.stackexchange.com/questions/132/recommended-practices-regarding-joomla-file-directory-permissions-and-ownership/161 https://forum.joomla.org/viewtopic.php?t=121470 https://forum.joomla.org/viewtopic.php?t=891689 https://docs.joomla.org/Security_Checklist/Hosting_and_Server_Setup#File_permissions I don't use Joomla, nor do I know what you're going to do with it, so I'm only approaching this on what I know about webserving directly with Apache. Looking at some of the results, I don't see useful answers to who should own them. I do see comments about the default PHP handlers, etc., not being the best choice, and you could have to change web hosting providers to do the job properly. (I've still got to change mine, I deliberately picked one using Apache, then they got bought out and changed to LightSpeed, which is only partially compatible, and fails some of my needs, at some rather basic Apache features.) I saw one hint that you might have to loosen permissions to set things up, then restrict them once the installation had finished. It all sounds badly cobbled together, to me. > It appears that today the php-fpm or mod_fcgid modules does something > similar by first sending the files through a proxy or external script > to actually do the writing. That's not too surprising. They could filter traffic, and only allow what should be allowed, and keep the writable files in a different area. If you make any file writeable by Apache, and that file can somehow be addressed through Apache, you're going to get hacked. -- [tim@localhost ~]$ uname -rsvp Linux 4.16.11-100.fc26.x86_64 #1 SMP Tue May 22 20:02:12 UTC 2018 x86_64 Boilerplate: All mail to my mailbox is automatically deleted. There is no point trying to privately email me, I only get to see the messages posted to the mailing list. - Mwuu haha haaaaa haaaa, soon the world will be mine! - Sir, you've got to take your finger off the intercom button. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
