Re: fbsd safety of the ports - David Brodbeck - org.freebsd.freebsd-questions

9 messages in org.freebsd.freebsd-questionsRe: fbsd safety of the ports

From	Sent On	Attachments
dick	Feb 6, 2012 9:36 am
Mark Felder	Feb 6, 2012 9:45 am
David Brodbeck	Feb 7, 2012 2:15 pm
mikel king	Feb 7, 2012 2:59 pm
Daniel Staal	Feb 7, 2012 6:29 pm
mikel king	Feb 7, 2012 6:53 pm
David Brodbeck	Feb 8, 2012 10:00 am
per...@pluto.rain.com	Feb 8, 2012 11:48 pm
Daniel Staal	Feb 9, 2012 4:52 am

Subject:	Re: fbsd safety of the ports
From:	David Brodbeck (gu...@gull.us)
Date:	Feb 7, 2012 2:15:05 pm
List:	org.freebsd.freebsd-questions

On Mon, Feb 6, 2012 at 9:37 AM, dick <di...@nagual.nl> wrote:

I'm a bit confused. I always believed FreeBSD is a very safe system. That may be true for the core files, but what about ports.

On the net I read _never_ to let the webserver be the owner of its files and yet, ports like Drupal or WordPress make the files rwx for the owner (www) as well as the group (www). How does this fit into fbsd's safety policy?

Content management systems are a bit of a sticky wicket for security.

The reason for not allowing the web server user to own files is so that someone who hacks a web app can't modify the site contents. But the whole reason for running a CMS system is to allow modifying the site contents via a web app.

One compromise, used by TWiki and some other systems, is to make the content writable by web processes but the actual code read-only. That's more secure but it requires a lot of manual intervention for updates and configuration changes. You *can* run WordPress this way, and it will be more secure, but you'll lose the automated update functionality as well as most of the web GUI configuration capability. Not necessarily a problem if you have good command line fu, but it can get tedious.

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets