File permissions... install vs. cli vs. running live?

  • Betroffene Version
    WoltLab Suite 3.0

    I'm trying to get forums v 5.1 up and running.

    I have full root on my host.

    nginx is running as www-data:www-data

    1) I would prefer that the directories all be owned by another user, with a few writeable directories open for www-data. I'm guessing this is impossible, given that people want the upgrade system to work, etc. So...... should I just create a directory mode 755 owned by www-data and just live with the unease that the installer creates tons of files/dirs under that?

    2) it looks like if I do (1), which I did, that CLI now fails, because I tried to run it as www-data, and this fails:

    Code
    $ php cli.php --packageID=4
    rename(/tmp/atomic_7886b4a3df8e076022e10a2b07ad1521e3755201,/home/xyzzys/bb_root/public_html/core/cache/cache.wcf_Spider.php): Permission denied

    So I assume I need to figure out some way to run php cli.php as www-data? (sudo doesn't seem to work off the bat, account is disabled, I'll have to figure that out?

    • Offizieller Beitrag

    Hi

    nginx is running as www-data:www-data

    that is irrelevant: Interesting is what user PHP FPM is running as.

    I would prefer that the directories all be owned by another user,

    You can configure the FPM pool to run as a user of your choice.

    2) it looks like if I do (1), which I did, that CLI now fails, because I tried to run it as www-data, and this fails:

    You have to execute the CLI as the same user PHP FPM runs as.

    sudo doesn't seem to work off the bat, account is disabled, I'll have to figure that out?

    You can use su -s /bin/bash <username> as root to log in as disabled users / users without a shell.

  • Hi

    that is irrelevant: Interesting is what user PHP FPM is running as.

    You can configure the FPM pool to run as a user of your choice.

    You have to execute the CLI as the same user PHP FPM runs as.

    You can use su -s /bin/bash <username> as root to log in as disabled users / users without a shell.

    Thanks for the super fast response Tim!

    What's the recommended "most secure" way to do this. Set up a pool with that other user?

    My concern with leaving the entire directory tree owned by www-data is that if nginx or php is comprised, I'm toast, whereas if they can only write to a few small directories, it's isolated.

    Or am I making this harder than it needs to be?

    • Offizieller Beitrag

    Hi

    Set up a pool with that other user?

    yes. Set up the pool as the other user and then chown the webroot of WoltLab Suite recursively. You can find the pool configurations in /etc/php/7.0/fpm/pool.d for Ubuntu 16.04. I recommend to create a pool with a separate user for each application you are running (i.e. one for WoltLab Suite, a different one for e.g. Wordpress and yet another one for something else).

    My concern with leaving the entire directory tree owned by www-data is that if nginx or php is comprised, I'm toast, whereas if they can only write to a few small directories, it's isolated.

    It is required that the pool user is able to write all the files. But: nginx only needs to read the files, so you need to make sure that www-data is able to read the files. WoltLab Suite set o+r for all the files it creates, so you should not need to make any special accommodations.

    If you are absolutely paranoid you can ensure that nginx is not able to write into the webroot by leveraging SystemD's ReadOnlyPaths. I won't be able to give advice, unfortunately.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!