Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PHP/Webserver system user separation #34

Open
drybjed opened this issue Feb 4, 2016 · 6 comments
Open

PHP/Webserver system user separation #34

drybjed opened this issue Feb 4, 2016 · 6 comments

Comments

@drybjed
Copy link
Member

drybjed commented Feb 4, 2016

Because after the switch to the packaged ownCloud the user that runs the php5-fpm processes is www-data, maybe a good idea would be to restrict it to only the directories that the application needs? I imagine that would be something like:

  • /tmp
  • /usr/share/php5
  • /var/www/owncloud

Probably something else as well. That should prevent the ownCloud's www-data instance messing with other directories accessible by www-data user. Thoughts?

@ypid
Copy link
Member

ypid commented Feb 4, 2016

Sure, I always support the principle of least privilege. Maybe we could even create a owncloud user under which php could run? Or are you thinking about MAC or both?

@drybjed
Copy link
Member Author

drybjed commented Feb 4, 2016

Having a separate user for ownCloud PHP application would probably be best. Any owner/group changes needed for ownCloud to work, like /var/www/owncloud/data/ and similar could probably be handled by dpkg-statoverride.

@Gomez
Copy link
Contributor

Gomez commented Feb 18, 2016

Access to /dev/urandom is needed, too.

@Polichronucci
Copy link

dpkg-statoverride will only change single files and directories per line. Owncloud needs a lot of files and directories to have complicated owner permissions. Wouldn't it be easier to have a script to do this? There is also an official one.

@ypid
Copy link
Member

ypid commented Jul 20, 2016

@Polichronucci thanks for the hint. I guess the permission change script could be based on that.

@Polichronucci
Copy link

With the script changing the permissions will work for both new and already existing installations.
Alright I will try to implement this and let you know.

@ypid ypid added this to the v0.4.0 milestone Aug 3, 2016
@ypid ypid added the status/WIP label Aug 8, 2016
@ypid ypid changed the title PHP5 open_basedir for ownCloud PHP/Webserver system user separation Aug 8, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants