-
-
Notifications
You must be signed in to change notification settings - Fork 5.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a warning about using same user for cli and web server #6517
Conversation
pasdeloup
commented
Apr 27, 2016
Q | A |
---|---|
Doc fix? | yes |
New docs? | no |
Applies to | all |
Fixed tickets | --- |
@@ -228,6 +228,9 @@ If there are any issues, correct them now before moving on. | |||
configuration (e.g. commonly httpd.conf or apache2.conf for Apache) and setting | |||
its user to be the same as your CLI user (e.g. for Apache, update the ``User`` | |||
and ``Group`` values). | |||
|
|||
Be careful, this option is not recommended on production environments for security | |||
reasons as a compromise server would give to the hacker the same privileges than this user. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reasons as a compromised
server would give the
hacker the same privileges as
this user.
I'm not sure about adding this note. My reason is that it implies that this is always insecure or the "hacker" would get root privileges. But the user shared by the web server and the CLI could/should be very limited and without critical privileges, right? |
You're right, it's not root privileges, but CLI user usually has more rights than web user. He can launch commands, like app/console doctrine:database:drop even if whatever is done in command can usually be done via web when it's pure php. He can also launch some unsafe binaries in bin/. He's also able to read/write what is generated by the CLI like archives/logs/statistics. |
|
||
If used in a production environment, be sure this user only has limited privileges | ||
(no access to private data or servers, launch of unsafe binaries, etc.) | ||
as a compromised server would give to the hacker those privileges. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this paragraph needs to be indented with 4 more spaces in order to be part of the caution box.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was working, but you're right, and it's better for readability.
I also rebased as my other PR on the same file has just been merged.
👍 I think this caution makes sense here. |
| Q | A | ------------- | --- | Doc fix? | yes | New docs? | no | Applies to | all | Fixed tickets | ---
Thank you @pasdeloup. |
…r (pasdeloup) This PR was squashed before being merged into the 2.3 branch (closes #6517). Discussion ---------- Add a warning about using same user for cli and web server | Q | A | ------------- | --- | Doc fix? | yes | New docs? | no | Applies to | all | Fixed tickets | --- Commits ------- 1214ecc Add a warning about using same user for cli and web server