Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a warning about using same user for cli and web server #6517

Closed
wants to merge 3 commits into from

Conversation

pasdeloup
Copy link
Contributor

Q A
Doc fix? yes
New docs? no
Applies to all
Fixed tickets ---

@@ -228,6 +228,9 @@ If there are any issues, correct them now before moving on.
configuration (e.g. commonly httpd.conf or apache2.conf for Apache) and setting
its user to be the same as your CLI user (e.g. for Apache, update the ``User``
and ``Group`` values).

Be careful, this option is not recommended on production environments for security
reasons as a compromise server would give to the hacker the same privileges than this user.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reasons as a compromised server would give the hacker the same privileges as this user.

@javiereguiluz
Copy link
Member

I'm not sure about adding this note. My reason is that it implies that this is always insecure or the "hacker" would get root privileges. But the user shared by the web server and the CLI could/should be very limited and without critical privileges, right?

@pasdeloup
Copy link
Contributor Author

You're right, it's not root privileges, but CLI user usually has more rights than web user. He can launch commands, like app/console doctrine:database:drop even if whatever is done in command can usually be done via web when it's pure php. He can also launch some unsafe binaries in bin/. He's also able to read/write what is generated by the CLI like archives/logs/statistics.
To finish, this user is also usually a real user with a bash, a home directory potentially containing private files.
So I don't like the idea, but maybe a simple warning would be more appropriate than a "never do it"


If used in a production environment, be sure this user only has limited privileges
(no access to private data or servers, launch of unsafe binaries, etc.)
as a compromised server would give to the hacker those privileges.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this paragraph needs to be indented with 4 more spaces in order to be part of the caution box.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was working, but you're right, and it's better for readability.
I also rebased as my other PR on the same file has just been merged.

@wouterj
Copy link
Member

wouterj commented May 5, 2016

👍 I think this caution makes sense here.

pasdeloup and others added 3 commits May 6, 2016 15:26
| Q             | A
| ------------- | ---
| Doc fix?      | yes
| New docs?     | no
| Applies to    | all
| Fixed tickets | ---
@xabbuh
Copy link
Member

xabbuh commented May 9, 2016

Thank you @pasdeloup.

xabbuh added a commit that referenced this pull request May 9, 2016
…r (pasdeloup)

This PR was squashed before being merged into the 2.3 branch (closes #6517).

Discussion
----------

Add a warning about using same user for cli and web server

| Q             | A
| ------------- | ---
| Doc fix?      | yes
| New docs?     | no
| Applies to    | all
| Fixed tickets | ---

Commits
-------

1214ecc Add a warning about using same user for cli and web server
@xabbuh xabbuh closed this May 9, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants