Re: Webserver user/group

[Frédéric Fauberteau <triaxx%NetBSD.org@localhost>]

Le 06/04/2020 à 01:44, Greg Troxel a écrit :
> Joerg Sonnenberger <joerg%bec.de@localhost> writes:
> 
>> On Mon, Apr 06, 2020 at 01:03:49AM +0200, Frédéric Fauberteau wrote:
>>> I mainly run www/nginx as webserver. I also run www/php-fpm that uses
>>> an unprivileged user FPM_USER?= ${APACHE_USER}. In my mk.conf, I have
>>> APACHE_USER= nginx. I would prefer to have web services' unprivileged
>>> users depending on a generic WWW_USER that could be configured
>>> according to the webserver actually running.
>>
>> I don't like it. In fact, IMO php-fm should be defaulting to its own
>> user if anything. This seems to be a step backwards from the perspective
>> of best practises...
> 
> I am also not in favor, and agreed that more privsep is better if it
> isn't painful.
> 
> I have a machine with nginx and php-fpm, running as nginx and www.  It
> seems to be working fie.
> 
> Frédéric: Can you explain why a dedicated user for php-fm would be a
> problem, or have disadvantages?

If I run nginx as nginx user and php-fpm as fpm user, I get permission denied errors. It is probably a problem in my own configuration. But I did not suggest to add a dedicated user for php-fpm. It was just an example to illustrate my point. My proposition was to declare WWW_USER/WWW_GROUP for need of packages that require files owned by the user that runs the webserver. I don't find very consistent to write APACHE_USER=nginx or APACHE_USER=lighttpd because there is no relation to apache at all. However WWW_USER=nginx sounds better for me. If we defined WWW_USER=${APACHE_USER}, it does not change the default policy. I can cite another example: www/php-piwigo uses APACHE_USER to set file ownership to www. This behavior appears to me as a the remainder of a time where everyone used Apache httpd (I used too). But maybe I am totally wrong and it is an intentional policy. In this case, I don't touch anything.

Fred