webuser, why?

rsd · Post by **rsd** » Tue Mar 29, 2005 8:12 pm

Hi,

I am new to ZM and still on the installation process.

Why does ZM really needs a webuser and webgroup?
all HTTP files is chowned by the webserver user and webserver group.

From a security point of view, this is very wrong. With this the http server may [over]write any file including php and cgi scripts.
All it is needed is that the webserver have read access to this files.

My suggestion is that this files be 0644 with the owner root and group the webgroup (apache).
If for some reason is there a need to write over a file (or dir) this gets to be 0664.

Post by **cordel** » Tue Mar 29, 2005 9:23 pm

I think you might want to read the README
http://www.zoneminder.com/documentation.html

Post by **zoneminder** » Tue Mar 29, 2005 10:18 pm

It's partly historical. Probably all files don't need to be writeable by the webuser. However a lot of files are created from the web interface, or from processes started by the web user so there is quite of file writing taking place directly or indirectly by the web user.

Phil

lazyleopard · Post by **lazyleopard** » Wed Mar 30, 2005 2:03 pm

I think, though, that all the writing takes place in the sub-directories, and not in the root one. I've been running zoneminder successfully with ownerships and permissions much as rsd suggests for a while now, so it would seem none of the .php files or cgi executables need to be alterable by the webuser.

Post by **zoneminder** » Fri Apr 01, 2005 7:16 pm

I will revisit this in a future version to see if it can be simplified. Automatic instals are easier if you have a defined user, plus having only root and webuser to worry about is easier than adding a third but I agree if it is unnecessary to have the files owned by webuser then it probably shouldn't happen.

Phil