Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 7 Feb 2012 17:59:27 -0500
From:      mikel king <mikel.king@olivent.com>
To:        David Brodbeck <gull@gull.us>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: fbsd safety of the ports
Message-ID:  <6F081A41-0EA8-4DB4-8FB9-F2E9A75EC948@olivent.com>
In-Reply-To: <CAHhngE0Y1hFQv4dUvaKFz68kwNWERAAJKpirTV0bvAiPmPx_aA@mail.gmail.com>
References:  <4F300FCD.8070804@nagual.nl> <CAHhngE0Y1hFQv4dUvaKFz68kwNWERAAJKpirTV0bvAiPmPx_aA@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On Feb 7, 2012, at 5:15 PM, David Brodbeck wrote:

> On Mon, Feb 6, 2012 at 9:37 AM, dick <dick@nagual.nl> wrote:
>> I'm a bit confused. I always believed FreeBSD is a very safe system. =
That
>> may be true for the core files, but what about ports.
>>=20
>> On the net I read _never_ to let the webserver be the owner of its =
files and
>> yet, ports like Drupal or WordPress make the files rwx for the owner =
(www)
>> as well as the group (www). How does this fit into fbsd's safety =
policy?
>=20
> Content management systems are a bit of a sticky wicket for security.
>=20
> The reason for not allowing the web server user to own files is so
> that someone who hacks a web app can't modify the site contents.  But
> the whole reason for running a CMS system is to allow modifying the
> site contents via a web app.
>=20
> One compromise, used by TWiki and some other systems, is to make the
> content writable by web processes but the actual code read-only.
> That's more secure but it requires a lot of manual intervention for
> updates and configuration changes.  You *can* run WordPress this way,
> and it will be more secure, but you'll lose the automated update
> functionality as well as most of the web GUI configuration capability.
> Not necessarily a problem if you have good command line fu, but it
> can get tedious.

Sounds like a good area for a maintenance tool script. Run the script =
prior to updates/config changes to temporarily open the permissions. =
After the update has been completed rerun the script to re-secure the =
permissions. Probably included a little db back in the preparation.

Thoughts?
m=




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?6F081A41-0EA8-4DB4-8FB9-F2E9A75EC948>