Date: Tue, 7 Feb 2012 14:15:28 -0800 From: David Brodbeck <gull@gull.us> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: fbsd safety of the ports Message-ID: <CAHhngE0Y1hFQv4dUvaKFz68kwNWERAAJKpirTV0bvAiPmPx_aA@mail.gmail.com> In-Reply-To: <4F300FCD.8070804@nagual.nl> References: <4F300FCD.8070804@nagual.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Feb 6, 2012 at 9:37 AM, dick <dick@nagual.nl> wrote: > I'm a bit confused. I always believed FreeBSD is a very safe system. That > may be true for the core files, but what about ports. > > On the net I read _never_ to let the webserver be the owner of its files and > yet, ports like Drupal or WordPress make the files rwx for the owner (www) > as well as the group (www). How does this fit into fbsd's safety policy? Content management systems are a bit of a sticky wicket for security. The reason for not allowing the web server user to own files is so that someone who hacks a web app can't modify the site contents. But the whole reason for running a CMS system is to allow modifying the site contents via a web app. One compromise, used by TWiki and some other systems, is to make the content writable by web processes but the actual code read-only. That's more secure but it requires a lot of manual intervention for updates and configuration changes. You *can* run WordPress this way, and it will be more secure, but you'll lose the automated update functionality as well as most of the web GUI configuration capability. Not necessarily a problem if you have good command line fu, but it can get tedious.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHhngE0Y1hFQv4dUvaKFz68kwNWERAAJKpirTV0bvAiPmPx_aA>