Add a warning about using same user for cli and web server #6517
Conversation
pasdeloup
commented
Apr 27, 2016
pasdeloup
commented
| Q | A |
|---|---|
| Doc fix? | yes |
| New docs? | no |
| Applies to | all |
| Fixed tickets | --- |
| @@ -228,6 +228,9 @@ If there are any issues, correct them now before moving on. | |||
| configuration (e.g. commonly httpd.conf or apache2.conf for Apache) and setting | |||
| its user to be the same as your CLI user (e.g. for Apache, update the ``User`` | |||
| and ``Group`` values). | |||
|
|
|||
| Be careful, this option is not recommended on production environments for security | |||
| reasons as a compromise server would give to the hacker the same privileges than this user. | |||
There was a problem hiding this comment.
reasons as a compromised server would give the hacker the same privileges as this user.
|
I'm not sure about adding this note. My reason is that it implies that this is always insecure or the "hacker" would get root privileges. But the user shared by the web server and the CLI could/should be very limited and without critical privileges, right? |
|
You're right, it's not root privileges, but CLI user usually has more rights than web user. He can launch commands, like app/console doctrine:database:drop even if whatever is done in command can usually be done via web when it's pure php. He can also launch some unsafe binaries in bin/. He's also able to read/write what is generated by the CLI like archives/logs/statistics. |
|
|
||
| If used in a production environment, be sure this user only has limited privileges | ||
| (no access to private data or servers, launch of unsafe binaries, etc.) | ||
| as a compromised server would give to the hacker those privileges. |
There was a problem hiding this comment.
this paragraph needs to be indented with 4 more spaces in order to be part of the caution box.
There was a problem hiding this comment.
It was working, but you're right, and it's better for readability.
I also rebased as my other PR on the same file has just been merged.
|
👍 I think this caution makes sense here. |
| Q | A | ------------- | --- | Doc fix? | yes | New docs? | no | Applies to | all | Fixed tickets | ---
|
Thank you @pasdeloup. |
…r (pasdeloup) This PR was squashed before being merged into the 2.3 branch (closes #6517). Discussion ---------- Add a warning about using same user for cli and web server | Q | A | ------------- | --- | Doc fix? | yes | New docs? | no | Applies to | all | Fixed tickets | --- Commits ------- 1214ecc Add a warning about using same user for cli and web server
