Add another tip to setup permissions #3563
Conversation
| Q | A | ------------- | --- | Doc fix? | no | New docs? | yes | Applies to | all | Fixed tickets | n/a
| typing commands when setting up new projects. This is done by editing your | ||
| Apache configuration file ``httpd.conf`` and update the user and group values | ||
| from ``www-data`` to your CLI user. Obviously, this is only recommended in dev | ||
| environnement. |
There was a problem hiding this comment.
typo, it should say environment
There was a problem hiding this comment.
this is not needed for a development environment imo, i never do this for instance, i have never done it neither in ubuntu nor in mac
There was a problem hiding this comment.
@cordoval I agree this is not needed, it is just another option among others :)
Fixed typo
| @@ -267,6 +267,14 @@ If there are any issues, correct them now before moving on. | |||
|
|
|||
| Note that using the ACL is recommended when you have access to them | |||
| on your server because changing the umask is not thread-safe. | |||
|
|
|||
| **4. Use the same user for CLI and HTTP** | |||
There was a problem hiding this comment.
... the CLI and the web server
|
Hey Tony! Sorry for spamming you with comments - but I like the addition - so let's get it merged in :). Cheers! |
|
Thanks @weaverryan for the comments, it's good spam anyway! |
|
Fews issue:
|
|
@lyrixx Concerning points 1 and 2, I could rephrase and tell the user to check his web server documentation (Apache/Nginx). |
|
Yea, I think we should rephrase to tell the user to check their web server - like you mentioned @tony-co. About point 3, is it true (or not true) that using the same user for many things means that if one thing were compromised (e.g. your web server, or some security hole in your web app itself that allows people to access files or run a command) that things are worse because the attacker can access more parts of your system? Or is this not really a big concern? For me, that's the part (if it makes sense) that I wanted to warn people about. But @lyrixx you're saying that you do this on purpose, and I'll admit that your setup does indeed sound very simple - I like that :). So, do we or don't we recommend using the same user in production? Or do we need to involve others that know more? I know that I don't know :). Thanks! |
|
I don't agree with @lyrixx. I don't want the webserver user to be able to write anywhere than in some dedicated directories (like cache, log, etc.). I don't want my webserver for example to be able to delete my entire application or to add new files to the web directory which would then be served by it. |
|
I think we could omit everything about production. It's simpler, and error-proof ;) @xabbuh Deleting .php file is useless for an attacker. Accessing your databases and other credentials is really more important. Give me an access to your server with |
|
@lyrixx Depends on what he wants to achieve. Nonetheless, is he not only able to delete files but also can create new files if he got write permissions. Of course, that's no the only thing you have to take care of. |
| configuration file ``httpd.conf`` and updating the User and Group values | ||
| from ``www-data`` to your CLI user. Obviously, this is only recommended in | ||
| development environment as you do not want to give Apache full control over | ||
| your whole production system. |
There was a problem hiding this comment.
I agree with @lyrixx that we should just avoid talking about production - so remove the last sentence. We already start with "In development environments", so I think we're good :).
|
ping @weaverryan |
|
Thanks for the fast update! I've patched this into the 2.3 branch. Cheers andt thanks everyone! |
This PR was submitted for the 2.4 branch but it was merged into the 2.3 branch instead (closes #3563). Discussion ---------- Add another tip to setup permissions | Q | A | ------------- | --- | Doc fix? | no | New docs? | yes | Applies to | all | Fixed tickets | n/a This is a quick tip on the installation guide to use the same user for CLI and HTTP. Commits ------- 0d5bcd7 Rephrase 625369a Updated tip with latest comments b955d99 Update installation.rst 1aaa291 Add another tip to setup permissions in dev environnement.
This is a quick tip on the installation guide to use the same user for CLI and HTTP.