installiing joomla

Sat Sep 14 20:05:21 UTC 2013


Am 14.09.2013 21:42, schrieb Matthew J. Roth:
> Reindl Harald wrote:
>>
>> it's not a matter of the distribution set permissions wise and only
>> allow the apache user write access where it is really needed
>>
>> teh document root is *not* such a place
>> temp/cache folders of a web-application are
> 
> For clarification, can the temp/cache folders be subdirectories of the
> DocumentRoot or should Apache never be able to write any file it could
> potentially serve?

it does not matter at the end of the day

in a perfect world you even have no phpincludes below the docroot
in most environments it will not be possible to do sou for some
hundret vhosts

>> in the best case *any* available permission system denies *anything* which is
>> not needed for normal operations and if you need to allow whatever you need
>> to do this for all possible involved subsystems - from security point of view
>> it's easy. if one of the subsystems fails or is configuerd unsafe like
>> "chmod -R 777" the other one makes this mindless acting less critical
>>
>> in doubt there is not "this or that is better", in doubt you want as much
>> security layers as possible: iptables, mod_security, filesystem perms and
>> as last resort SELInux - they are finally adaptive and depending on whatever
>> a bad guy try to do on a server different layers may stop him, in the best
>> case the first and finally the last ressort
> 
> In general, I understand layered security and the principle of least privilege.
> It's just that Tim's statements:
> 
>   If it's possible for Apache to write to the webspace, because it's foolishly
>   owned by the apache user, your system is just ripe for being exploited.

the document root itself is not the real problem

the problem is that a fool gives apache write-permissions to php-scripts
and the smallest security hole after that can place code in your application

well, put bad code in new files inside the document root by the
wep-application and send phishing mails to the URL is not that fine

that is why any web-application written with brain has it's templates,
caches, temporary files in folders which are the only writeable by the
webserver and enforces rules *never ever* deliver anything from
these directories to a borwser (.htaccess, <Directory..>)

and if possible includes are also in a seperated folder *not* directly
accessable by a client, outside the docroot or access to the folder denied
is a implementation detail which does not matter

> and:
> 
>   For those things that need write access to the files (such as web
>   blogging where the author will add to the blog by writing through the
>   webserver, or a plethora of other web services), then some other method must
>   be used than chowning them to apache.
> 
> leave me wondering what that "other method" would be.

the above makes *no sense*

if the question is "apache needs to write" it doe not matter
if it's owner, group or everybody-RW access

> In other words, if a "plethora of other web services" require write access to
> the webspace then there must either be commonly used methods to securely provide
> that functionality or a plethora of systems that are "just ripe for being
> exploited".  If it's the former, I want to know what those methods are.

put files where the application needs write access in seperate folders
if the application needs RW access everywhere throw the broken application
away because broken-by-design is not fixable

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130914/0c237086/attachment.sig>