Hi, I have a fedora24 install with apache-2.4.23 and the latest version of joomla, and having some problems with the inability of the apache user to modify files while also allowing the site admin account modify those same files in the document root. I understand there are several solutions to this problem, but I don't know which one is the best for me, both from a security and functionality perspective. I've been setting up apache sites for a really long time, although I don't claim to be an expert. I also know that adding both the site admin user (joomadmin, in my case) and the apache user (apache) to a common group then making everything writable by that group (with sgid as well) isn't the best solution. Ideally, I'd like the apache user to not have any write capability to limit the possibility of a site compromise from taking down the whole site. The umask on fedora is 0022 by default, and I can't figure out how to change it to something that would even enable setting the group sgid such that users in the group can write files while maintaining group permissions. Here's an example of what happens with the apache user creating new directories (such as what would happen when new joomla modules are installed through the joomla interface): -bash-4.3$ id uid=48(apache) gid=48(apache) groups=48(apache),993(nagios),1000(joomadmin) -bash-4.3$ umask 0022 -bash-4.3$ mkdir mod_tmp -bash-4.3$ ls -ld mod_tmp drwxr-sr-x 2 apache joomadmin 4096 Oct 26 10:19 mod_tmp Creating directories with mode 755 (with sgid bit inherited) does not leave any ability for other users in that group to write files to that directory. I understand there is also suPHP, but it seems like it's no longer maintained? I'm open to the PHP-FPM option, but I wanted to first ask the list how they're handing the situation? It looks very involved to install and potentially affects overall server performance. Are you making the site admin user accessing and modifying the site remotely (scp, sFTP, etc) the same as apache? Are you using PHP-FPM? If so, is there a Fedora or Apache guide you recommend? Are you changing the umask to be able to put the two users in the same group? If so, how? I tried editing the unit service, and changing the umask there, but that didn't have any effect. Thanks, Alex --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|