ansible-owncloud icon indicating copy to clipboard operation
ansible-owncloud copied to clipboard
verified publisher icon debops

PHP/Webserver system user separation

Open drybjed opened this issue 10 years ago • 6 comments

Because after the switch to the packaged ownCloud the user that runs the php5-fpm processes is www-data, maybe a good idea would be to restrict it to only the directories that the application needs? I imagine that would be something like:

  • /tmp
  • /usr/share/php5
  • /var/www/owncloud

Probably something else as well. That should prevent the ownCloud's www-data instance messing with other directories accessible by www-data user. Thoughts?

drybjed avatar Feb 04 '16 20:02 drybjed

Sure, I always support the principle of least privilege. Maybe we could even create a owncloud user under which php could run? Or are you thinking about MAC or both?

ypid avatar Feb 04 '16 21:02 ypid

Having a separate user for ownCloud PHP application would probably be best. Any owner/group changes needed for ownCloud to work, like /var/www/owncloud/data/ and similar could probably be handled by dpkg-statoverride.

drybjed avatar Feb 04 '16 21:02 drybjed

Access to /dev/urandom is needed, too.

Gomez avatar Feb 18 '16 14:02 Gomez

dpkg-statoverride will only change single files and directories per line. Owncloud needs a lot of files and directories to have complicated owner permissions. Wouldn't it be easier to have a script to do this? There is also an official one.

Polichronucci avatar Jul 20 '16 15:07 Polichronucci

@Polichronucci thanks for the hint. I guess the permission change script could be based on that.

ypid avatar Jul 20 '16 15:07 ypid

With the script changing the permissions will work for both new and already existing installations. Alright I will try to implement this and let you know.

Polichronucci avatar Jul 20 '16 15:07 Polichronucci