Hi,
Thanks for the details.
So I continued delving into the nginx instance configuration. There were a couple more of files in /etc/phpMyAdmin and /var/lib/php, /var/lib/phpMyAdmin belonging to user root and group apache as per default installation. After some more fixes everything went well, but my opinion is still the same. I see the point of httpd vs nginx in performance but I think that the default configuration should be more flexible. What if creating a 'www' group, and user 'nginx' and 'apache' are added into? and then files in /var/www , /var/lib/php and /var/lib/phpMyAdmin shall belong to 'www' group. In this way, after default installation, permissions shall be fixed for both the web servers without further noticing.
Maybe someone from the package team can help us...
Regards,
F
2017-11-26 21:28 GMT+01:00 Reindl Harald <h.reindl@xxxxxxxxxxxxx>:
Am 26.11.2017 um 20:55 schrieb Francesco Giancane:
Thank you for the reply. Was not saying that it is the most secure configuration, my point was that in that way everything is not working out of the box on nginx while on httpd it is transparent.
the default for httpd is also php-fpm
In my opinion, default installation should work without modifying my system configurations; securing my installation should be a separate step
in the best case yes
in doubt default setups have to be secure because most users don't have the knowledge to secure things at their own, just read IT news about open MonoDB and what not else in the past few years
What I am asking here is why php-fpm runs by default under the Apache user...
likely because most people use httpd and nginx is normally used where performance matters and sysadmins are expected to know what to do
in any case some knowledge is expected when running servers
Following your arguments it would be better to be under fpm user account.
yes
Il 26 nov 2017 20:42, "Reindl Harald" <h.reindl@xxxxxxxxxxxxx <mailto:h.reindl@xxxxxxxxxxxxx>> ha scritto:
Am 26.11.2017 um 20:18 schrieb Francesco Giancane:
If you switch to nginx, you actually have to run both nginx and
php-fpm; because those are two different processes, you have to
grant permissions to both on the same files, which to me seems
unnecessary
breaking news: that's how secure setups are supposed to work
everything should only have the permissions it really needs
in doubt you even have sepearated users for each fpm worker-pool
meaning each website can only access the files belonging to that user
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
