Insecure writable by web user /data directory in nginx-php package

[dadittoz]

Hello.

In the init script recursively change /data owner to core:core. The php5-fpm process is also executed under user core. This is insecure. Basically every script can change everything in /data, including config files. The /data/secure folder is not secure too. Every web script can access it.

I wonder is there any reason why you recursively update the owner of /data directory? I would suggest leaving file owners intact and only changing the file owner of logs directory. I also suggest to run php5-fpm under www-data user.

[maxexcloo]

Any reason for running php under the www-data user?
I'm changing permissions as many scripts and webapps like to write into the web folder, I agree with your assessment but don't have many ideas on how to solve this...

[dadittoz]

I'd suggest the following way:

1. Run nginx and php-fpm under www-data user by default. This is a standard Debian behavior, no real need to change it.
2. If a user wants an insecure script-writable-readable environment for development and testing, he supplies an environment option such as "WEB_WRITABLE=1". Init script detects it and modifies config files or changes permissions accordingly.

I believe silently changing permissions or an owner on a mountable volume is not a good practice. Different web apps may have their own permission requirements.

Your repository is popular. People may use it in production. Either a warning about insecure permissions should be made in a readme or make it secure by default and have a development option. With power comes responsibility.

[maxexcloo]

Duly noted, I will take steps to rectify this, I do believe in best
practices and your advice is solid.
If you have any pull requests for changes they're very welcome as I am
unfortunately rather busy with university and it may take me some time to
examine my repository and make the changes needed (I want to do a full
overview of all my packages and clean them up if i can).

Thank you again, Max.

On Wed, Mar 25, 2015 at 12:37 AM, dadittoz notifications@github.com wrote:

I'd suggest the following way:

1. Run nginx and php-fpm under www-data user by default. This is a
   standard Debian behavior, no real need to change it.
2. If a user wants an insecure script-writable-readable environment for
   development and testing, he supplies an environment option such as
   "WEB_WRITABLE=1". Init script detects it and modifies config files or
   changes permissions accordingly.

I believe silently changing permissions or an owner on a mountable volume
is not a good practice. Different web apps may have their own permission
requirements.

Your repository is popular. People may use it in production. Either a
warning about insecure permissions should be made in a readme or make it
secure by default and have a development option. With power comes
responsibility.

—
Reply to this email directly or view it on GitHub
#15 (comment).