[pkg-php-pear] Bug#831734: php-htmlpurifier: /var/lib/php-htmlpurifier/Serializer/ permission issues
Christoph Anton Mitterer
calestyo at scientia.net
Mon Jul 18 20:18:55 UTC 2016
Package: php-htmlpurifier
Version: 4.7.0-2
Severity: normal
Hi.
/var/lib/php-htmlpurifier/Serializer/ is shipped with owners www-data:www-data
which is quite unfortunate for any proper production setup where the PHP
code should of course not run with the user/group of the webserver (and thus
have full access to any other stuff served by such webserver).
Especially it affects any PHP SAPI other than mod_php, which allow (or enforce)
to run as a different user, just as it should be.
Now this directory is apparently needed for operation of php-htmlpurifier,
but write access will not work for users/group other than www-data.
One way would be to use dpkg-statoverride, but that's IMHO also a bit limited.
Could you possibly consider to go another way here?
One, though I'm not sure whether this would work properly with php-htmlpurifier,
is what the main PHP packages to with the session store (i.e. /var/lib/php/sessions
in PHP 7.0), they simply have permissions drwx-wx-wt root:root, but of course
that may not be safe, depending on how well htmlpurifier is programmed for that
The other would be to not use www-data but e.g. root:<some special group>, and people
could add those users who are allowed to write, to that group,... e.g. www-data,
or cgi-suexec.
Cheers,
Chris.
More information about the pkg-php-pear
mailing list