-
Notifications
You must be signed in to change notification settings - Fork 71
Insecure writable by web user /data directory in nginx-php package #15
Comments
Any reason for running php under the www-data user? |
I'd suggest the following way:
I believe silently changing permissions or an owner on a mountable volume is not a good practice. Different web apps may have their own permission requirements. Your repository is popular. People may use it in production. Either a warning about insecure permissions should be made in a readme or make it secure by default and have a development option. With power comes responsibility. |
Duly noted, I will take steps to rectify this, I do believe in best Thank you again, Max. On Wed, Mar 25, 2015 at 12:37 AM, dadittoz notifications@github.com wrote:
|
Hello.
In the init script recursively change /data owner to core:core. The php5-fpm process is also executed under user core. This is insecure. Basically every script can change everything in /data, including config files. The /data/secure folder is not secure too. Every web script can access it.
I wonder is there any reason why you recursively update the owner of /data directory? I would suggest leaving file owners intact and only changing the file owner of logs directory. I also suggest to run php5-fpm under www-data user.
The text was updated successfully, but these errors were encountered: