installiing joomla

Sat Sep 14 20:55:56 UTC 2013

please respond to the list too, well i CC the list now

offlist thanks are nice but does not change that some people including list-owners
still insists that i am only an asshole because i use clear language and answers
with knowledge will never compensate a few hot-blooded from time to time and
that is why i respond with the user in CC and not only to the list and i will
continue act this way until the hell freezes over instead see respones days later

one additional thing to the last reply:

>> For clarification, can the temp/cache folders be subdirectories of the
>> DocumentRoot or should Apache never be able to write any file it could
>> potentially serve?
>
> it does not matter at the end of the day

belongs to the question subdirectories of docroot or not

> Apache never be able to write any file it could potentially serve?

is clearly the point *yes* and that includes files directly served
as well as parts of the application itself

Am 14.09.2013 22:44, schrieb Matthew J. Roth:
> Harald,
> 
> I hope you don't mind that I'm responding off-list, but I just wanted to thank you for the insightful responses.  
> It's a pity that nobody else will see them until your messages pass moderation because they (as usual) 
> contain very valuable information.  Meanwhile, others are free to use the list like their personal blog or to 
> provide cryptic answers that look more like riddles.
> 
> I understand what you're saying and think that Tim's statements may just be confusing.  Hopefully, he'll reply and clarify his meaning.
> 
> Thanks,
> 
> Matt
> 
> ----- Original Message -----
> From: "Reindl Harald" <h.reindl at thelounge.net>
> To: "Matthew J. Roth" <mroth at imminc.com>
> Cc: "Community support for Fedora users" <users at lists.fedoraproject.org>
> Sent: Saturday, September 14, 2013 4:05:21 PM
> Subject: Re: installiing joomla
> 
> Am 14.09.2013 21:42, schrieb Matthew J. Roth:
>> Reindl Harald wrote:
>>>
>>> it's not a matter of the distribution set permissions wise and only
>>> allow the apache user write access where it is really needed
>>>
>>> teh document root is *not* such a place
>>> temp/cache folders of a web-application are
>>
>> For clarification, can the temp/cache folders be subdirectories of the
>> DocumentRoot or should Apache never be able to write any file it could
>> potentially serve?
> 
> it does not matter at the end of the day
> 
> in a perfect world you even have no phpincludes below the docroot
> in most environments it will not be possible to do sou for some
> hundret vhosts
> 
>>> in the best case *any* available permission system denies *anything* which is
>>> not needed for normal operations and if you need to allow whatever you need
>>> to do this for all possible involved subsystems - from security point of view
>>> it's easy. if one of the subsystems fails or is configuerd unsafe like
>>> "chmod -R 777" the other one makes this mindless acting less critical
>>>
>>> in doubt there is not "this or that is better", in doubt you want as much
>>> security layers as possible: iptables, mod_security, filesystem perms and
>>> as last resort SELInux - they are finally adaptive and depending on whatever
>>> a bad guy try to do on a server different layers may stop him, in the best
>>> case the first and finally the last ressort
>>
>> In general, I understand layered security and the principle of least privilege.
>> It's just that Tim's statements:
>>
>>   If it's possible for Apache to write to the webspace, because it's foolishly
>>   owned by the apache user, your system is just ripe for being exploited.
> 
> the document root itself is not the real problem
> 
> the problem is that a fool gives apache write-permissions to php-scripts
> and the smallest security hole after that can place code in your application
> 
> well, put bad code in new files inside the document root by the
> wep-application and send phishing mails to the URL is not that fine
> 
> that is why any web-application written with brain has it's templates,
> caches, temporary files in folders which are the only writeable by the
> webserver and enforces rules *never ever* deliver anything from
> these directories to a borwser (.htaccess, <Directory..>)
> 
> and if possible includes are also in a seperated folder *not* directly
> accessable by a client, outside the docroot or access to the folder denied
> is a implementation detail which does not matter
> 
>> and:
>>
>>   For those things that need write access to the files (such as web
>>   blogging where the author will add to the blog by writing through the
>>   webserver, or a plethora of other web services), then some other method must
>>   be used than chowning them to apache.
>>
>> leave me wondering what that "other method" would be.
> 
> the above makes *no sense*
> 
> if the question is "apache needs to write" it doe not matter
> if it's owner, group or everybody-RW access
> 
>> In other words, if a "plethora of other web services" require write access to
>> the webspace then there must either be commonly used methods to securely provide
>> that functionality or a plethora of systems that are "just ripe for being
>> exploited".  If it's the former, I want to know what those methods are.
> 
> put files where the application needs write access in seperate folders
> if the application needs RW access everywhere throw the broken application
> away because broken-by-design is not fixable

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130914/e83692b0/attachment-0001.sig>