On Mon, Feb 6, 2012 at 9:37 AM, dick <di...@nagual.nl> wrote:
I'm a bit confused. I always believed FreeBSD is a very safe system. That
may be true for the core files, but what about ports.
On the net I read _never_ to let the webserver be the owner of its files and
yet, ports like Drupal or WordPress make the files rwx for the owner (www)
as well as the group (www). How does this fit into fbsd's safety policy?
Content management systems are a bit of a sticky wicket for security.
The reason for not allowing the web server user to own files is so
that someone who hacks a web app can't modify the site contents. But
the whole reason for running a CMS system is to allow modifying the
site contents via a web app.
One compromise, used by TWiki and some other systems, is to make the
content writable by web processes but the actual code read-only.
That's more secure but it requires a lot of manual intervention for
updates and configuration changes. You *can* run WordPress this way,
and it will be more secure, but you'll lose the automated update
functionality as well as most of the web GUI configuration capability.
Not necessarily a problem if you have good command line fu, but it
can get tedious.