ZoneMinder Forums

Hi,

I am new to ZM and still on the installation process.

Why does ZM really needs a webuser and webgroup?
all HTTP files is chowned by the webserver user and webserver group.

From a security point of view, this is very wrong. With this the http server may [over]write any file including php and cgi scripts.
All it is needed is that the webserver have read access to this files.

My suggestion is that this files be 0644 with the owner root and group the webgroup (apache).
If for some reason is there a need to write over a file (or dir) this gets to be 0664.

I think you might want to read the README
http://www.zoneminder.com/documentation.html

It's partly historical. Probably all files don't need to be writeable by the webuser. However a lot of files are created from the web interface, or from processes started by the web user so there is quite of file writing taking place directly or indirectly by the web user.

Phil

I think, though, that all the writing takes place in the sub-directories, and not in the root one. I've been running zoneminder successfully with ownerships and permissions much as rsd suggests for a while now, so it would seem none of the .php files or cgi executables need to be alterable by the webuser.

I will revisit this in a future version to see if it can be simplified. Automatic instals are easier if you have a defined user, plus having only root and webuser to worry about is easier than adding a third but I agree if it is unnecessary to have the files owned by webuser then it probably shouldn't happen.

Phil