[kwlug-disc] Web application file ownership

[Khalid Baheyeldin]

>From another thread ...

On Fri, Dec 9, 2022 at 4:05 AM Ronald Barnes <ron at ronaldbarnes.ca> wrote:

> If I run:
>
> chown -vR www-data: ./.*
>

This is a warning to those who run web sites with applications that need to
write to the file system, such as Drupal, Backdrop, as well as other CMS
and web frameworks.

Basically, there are the applications's programs and configuration in one
bucket (A), and the writable file system in another (B). There is also the
configuration (C).

In Drupal, Backdrop, and other similar CMS/web frameworks:

C should always be outside webroot, so it is not accessible to anyone in
the event of a web server misconfiguration or bug. The default installation
of Backdrop makes it inside webroot, which is a potential security
vulnerability.

For example, for Backdrop the correct way should be:

$config_directories['active'] = '../config/example.com/active';

That config is now outside webroot, and should be owned by www-data so it
is writable by PHP, but it is also not accessible from the web server as
static files.

B is usually in webroot/files or sites/example.com/files. It should always
be owned by the user www-data, so PHP (and hence the application) can write
to it anything that needs to.

Which leaves A, and that is where things are often not done right. Many
people make A owned by www-data, but that means that any bug that causes a
remote exploit can write executable stuff and execute it. That is why A
should be owned by a separate user, and made world readable but only user
writable.

This adds a limitation when executing PHP from the command line, e.g.
things like drush. The fix is to use:

sudo -u www-data /usr/local/bin/drush whatever

A shell alias or wrapper script ties it all together.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20221209/61053a20/attachment.htm>