Date: Tue, 7 Feb 2012 17:59:27 -0500 From: mikel king <mikel.king@olivent.com> To: David Brodbeck <gull@gull.us> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: fbsd safety of the ports Message-ID: <6F081A41-0EA8-4DB4-8FB9-F2E9A75EC948@olivent.com> In-Reply-To: <CAHhngE0Y1hFQv4dUvaKFz68kwNWERAAJKpirTV0bvAiPmPx_aA@mail.gmail.com> References: <4F300FCD.8070804@nagual.nl> <CAHhngE0Y1hFQv4dUvaKFz68kwNWERAAJKpirTV0bvAiPmPx_aA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 7, 2012, at 5:15 PM, David Brodbeck wrote: > On Mon, Feb 6, 2012 at 9:37 AM, dick <dick@nagual.nl> wrote: >> I'm a bit confused. I always believed FreeBSD is a very safe system. = That >> may be true for the core files, but what about ports. >>=20 >> On the net I read _never_ to let the webserver be the owner of its = files and >> yet, ports like Drupal or WordPress make the files rwx for the owner = (www) >> as well as the group (www). How does this fit into fbsd's safety = policy? >=20 > Content management systems are a bit of a sticky wicket for security. >=20 > The reason for not allowing the web server user to own files is so > that someone who hacks a web app can't modify the site contents. But > the whole reason for running a CMS system is to allow modifying the > site contents via a web app. >=20 > One compromise, used by TWiki and some other systems, is to make the > content writable by web processes but the actual code read-only. > That's more secure but it requires a lot of manual intervention for > updates and configuration changes. You *can* run WordPress this way, > and it will be more secure, but you'll lose the automated update > functionality as well as most of the web GUI configuration capability. > Not necessarily a problem if you have good command line fu, but it > can get tedious. Sounds like a good area for a maintenance tool script. Run the script = prior to updates/config changes to temporarily open the permissions. = After the update has been completed rerun the script to re-secure the = permissions. Probably included a little db back in the preparation. Thoughts? m=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6F081A41-0EA8-4DB4-8FB9-F2E9A75EC948>