Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 6 Feb 2012 11:46:17 -0600
From:      Mark Felder <feld@feld.me>
To:        freebsd-questions@freebsd.org
Subject:   Re: fbsd safety of the ports
Message-ID:  <op.v89qbfem34t2sn@tech304>
In-Reply-To: <4F300FCD.8070804@nagual.nl>
References:  <4F300FCD.8070804@nagual.nl>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Mon, 06 Feb 2012 11:37:17 -0600, <dick@nagual.nl> wrote:

> I'm a bit confused. I always believed FreeBSD is a very safe system.  
> That may be true for the core files, but what about ports.
>  On the net I read _never_ to let the webserver be the owner of its  
> files and yet, ports like Drupal or WordPress make the files rwx for the  
> owner (www) as well as the group (www). How does this fit into fbsd's  
> safety policy?
>  I guess you might say it's the task of the port maintainer, but isn't  
> there some kind of port acceptance policy?
> Imho this situation is a bit confusing at least I'd like to get some  
> info on this if possible.

In my opinion it's up to the admin to make sure the sites their hosted are  
setup with proper permissions. If you haven't run into it yet I'd be  
surprised -- Wordpress/Joomla/etc seem to throw a fit when you don't give  
them full write access to certain directories (for caching and whatnot)  
and if you don't have them update via the FTP method they require write  
access everywhere. This is excluding weird add-ons and plugins that want  
write access everywhere as well, which I've seen many times.

Securing a CMS properly is harder than it should be. Sometimes I feel the  
safest way would be to run two copies of the site: one that's read-only  
(including database read only perms) and another that you use for  
managing, updating, etc.

However, now you've alienated anyone from ever being able to comment on  
your blog.......

Security, Low Difficulty, Functionality -- pick two.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?op.v89qbfem34t2sn>