installiing joomla

Sat Sep 14 18:49:50 UTC 2013

Am 14.09.2013 20:40, schrieb Matthew J. Roth:
> Reindl Harald wrote:
>>
>> www-data is *debian* because on Redhat the user/groups is named "apache"
>> if you use google add your distribution to the search string!
> 
> Please explain how the specific user Apache is running as is relevant

"chown www-data" and "chgrp www-data" will not work on Redhat

> Is it only an indicator of the distribution the example is based on?  

it si simple: the same command may have differnt params on different distributions
see above

> If so, are you saying that distributions without SELinux support cannot securely 
> allow Apache to write files within DocumentRoot.

it's not a matter of the distribution set permissions wise and only
allow the apache user write access where it is really needed

teh document root is *not* such a place
temp/cache folders of a web-application are

>> besides that there a *two* levels to care: FS-permissions *and* SELinux
>>
>> chown apache:apache /path/to/folder/
>> chmod 770 /path/to/folder/
>>
>> http://david-latham.blogspot.co.at/2008/08/allow-httpd-apache-to-write-to-files.html
> 
> Are you saying to all Apache write access, but to use SELinux to limit the
> directories and files it can update?  That sounds reasonable to me, but I get the
> impression that Tim had something else in mind from his very specific statement

i say not more and not less that you can set filesystem permissions to whatever
you want if the SELinux context doe snot allow it

SELinux is a *additional* security subsystem

in the best case *any* available permission system denies *anything* which is
not needed for normal operations and if you need to allow whatever you need
to do this for all possible involved subsystems - from security point of view
it's easy. if one of the subsystems fails or is configuerd unsafe like
"chmod -R 777" the other one makes this mindless acting less critical

in doubt there is not "this or that is better", in doubt you want as much
security layers as possible: iptables, mod_security, filesystem perms and
as last resort SELInux - they are finally adaptive and depending on whatever
a bad guy try to do on a server different layers may stop him, in the best
case the first and finally the last ressort

the goal is making attacks as hard as possible because a attacker needs
to trick around all the secuity layers and may seek a easier target if
it takes too much time/energy to bypass all of them

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130914/6e1294f0/attachment.sig>