-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PHP/Webserver system user separation #34
Comments
Sure, I always support the principle of least privilege. Maybe we could even create a owncloud user under which php could run? Or are you thinking about MAC or both? |
Having a separate user for ownCloud PHP application would probably be best. Any owner/group changes needed for ownCloud to work, like |
Access to /dev/urandom is needed, too. |
dpkg-statoverride will only change single files and directories per line. Owncloud needs a lot of files and directories to have complicated owner permissions. Wouldn't it be easier to have a script to do this? There is also an official one. |
@Polichronucci thanks for the hint. I guess the permission change script could be based on that. |
With the script changing the permissions will work for both new and already existing installations. |
Because after the switch to the packaged ownCloud the user that runs the
php5-fpm
processes iswww-data
, maybe a good idea would be to restrict it to only the directories that the application needs? I imagine that would be something like:/tmp
/usr/share/php5
/var/www/owncloud
Probably something else as well. That should prevent the ownCloud's
www-data
instance messing with other directories accessible bywww-data
user. Thoughts?The text was updated successfully, but these errors were encountered: