fbsd safety of the ports

David Brodbeck gull at gull.us
Tue Feb 7 22:42:34 UTC 2012

On Mon, Feb 6, 2012 at 9:37 AM, dick <dick at nagual.nl> wrote:
> I'm a bit confused. I always believed FreeBSD is a very safe system. That
> may be true for the core files, but what about ports.
> On the net I read _never_ to let the webserver be the owner of its files and
> yet, ports like Drupal or WordPress make the files rwx for the owner (www)
> as well as the group (www). How does this fit into fbsd's safety policy?

Content management systems are a bit of a sticky wicket for security.

The reason for not allowing the web server user to own files is so
that someone who hacks a web app can't modify the site contents.  But
the whole reason for running a CMS system is to allow modifying the
site contents via a web app.

One compromise, used by TWiki and some other systems, is to make the
content writable by web processes but the actual code read-only.
That's more secure but it requires a lot of manual intervention for
updates and configuration changes.  You *can* run WordPress this way,
and it will be more secure, but you'll lose the automated update
functionality as well as most of the web GUI configuration capability.
 Not necessarily a problem if you have good command line fu, but it
can get tedious.

More information about the freebsd-questions mailing list