From owner-freebsd-questions@FreeBSD.ORG Mon Feb 6 17:46:30 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A71F6106566C for ; Mon, 6 Feb 2012 17:46:30 +0000 (UTC) (envelope-from feld@feld.me) Received: from mwi1.coffeenet.org (unknown [IPv6:2607:f4e0:100:300::2]) by mx1.freebsd.org (Postfix) with ESMTP id DF1C68FC08 for ; Mon, 6 Feb 2012 17:46:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=feld.me; s=blargle; h=In-Reply-To:Message-Id:From:Mime-Version:Date:References:Subject:To:Content-Type; bh=8GR2Os+rQ7scLEc+nTsmaGV/Utzf9UTY8l7zy7vqh9E=; b=TXg3T2oG46SS7XCTjxbUVkFqb7ds4g5jJmw2PsJbfTPGmCPgDbHCaIflDiiGHVRgM9h2FpUsJYtiVx8EcPbKIpdegQGVGGkd393q31Wv4xTCh9UVwy7//aJXta8Zoc+w; Received: from localhost ([127.0.0.1] helo=mwi1.coffeenet.org) by mwi1.coffeenet.org with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1RuSe0-000MNS-2w for freebsd-questions@freebsd.org; Mon, 06 Feb 2012 11:46:28 -0600 Received: from feld@feld.me by mwi1.coffeenet.org (Archiveopteryx 3.1.4) with esmtpsa id 1328550377-3359-3358/5/7; Mon, 6 Feb 2012 17:46:17 +0000 Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes To: freebsd-questions@freebsd.org References: <4F300FCD.8070804@nagual.nl> Date: Mon, 6 Feb 2012 11:46:17 -0600 Mime-Version: 1.0 From: Mark Felder Message-Id: In-Reply-To: <4F300FCD.8070804@nagual.nl> User-Agent: Opera Mail/12.00 (FreeBSD) X-SA-Score: -1.5 Subject: Re: fbsd safety of the ports X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Feb 2012 17:46:30 -0000 On Mon, 06 Feb 2012 11:37:17 -0600, wrote: > I'm a bit confused. I always believed FreeBSD is a very safe system. > That may be true for the core files, but what about ports. > On the net I read _never_ to let the webserver be the owner of its > files and yet, ports like Drupal or WordPress make the files rwx for the > owner (www) as well as the group (www). How does this fit into fbsd's > safety policy? > I guess you might say it's the task of the port maintainer, but isn't > there some kind of port acceptance policy? > Imho this situation is a bit confusing at least I'd like to get some > info on this if possible. In my opinion it's up to the admin to make sure the sites their hosted are setup with proper permissions. If you haven't run into it yet I'd be surprised -- Wordpress/Joomla/etc seem to throw a fit when you don't give them full write access to certain directories (for caching and whatnot) and if you don't have them update via the FTP method they require write access everywhere. This is excluding weird add-ons and plugins that want write access everywhere as well, which I've seen many times. Securing a CMS properly is harder than it should be. Sometimes I feel the safest way would be to run two copies of the site: one that's read-only (including database read only perms) and another that you use for managing, updating, etc. However, now you've alienated anyone from ever being able to comment on your blog....... Security, Low Difficulty, Functionality -- pick two.