Roland's Friendica Network

Implications of access by the user www-data to all friendica folders

Hi there,
the friendica helpers page describes the installation process of friendica as follows:

/help/Install: wrote:

The Linux commands to clone the repository into a directory "mywebsite" would be
git clone https://github.com/friendica/friendica.git -b stable mywebsite
cd mywebsite
bin/composer.phar install --no-dev
Make sure the folder view/smarty3 exists and is writable by the webserver user, in this case www-data
mkdir -p view/smarty3
chown www-data:www-data view/smarty3
chmod 775 view/smarty3
Get the addons by going into your website folder.
cd mywebsite
Clone the addon repository (separately):
git clone https://github.com/friendica/friendica-addons.git -b stable addon

askubuntu.com: wrote:

What is the www-data user?
https://askubuntu.com/questions/873839/what-is-the-www-data-user
The web server has to be run under a specific user. That user must exist.
If it were run under root, then all the files would have to be accessible by root and the user would need to be root to access the files. With root being the owner, a compromised web server would have access to your entire system. By specifying a specific ID a compromised web server would only have full access to its files and not the entire server.

I guess this observation goes both ways, a compromised friendica instalation get's access to all the friendica folders if I choose to first create/activate the www-data user, than create the friendica installation folder structure, than git clone friendica, than create the smarty3 folder and ultimately do the git clone of the addon folder as described here:
https://tupambae.org/display/0ac89072-2065-5da2-9124-8b5839853793
The order in which the creation of www-data related folders in the above case is described makes all folders and files in the friendica directory belong to www-data.
In the friendica help description first comes the git-clone, than the the smarty3 folder part than the addon git-clone. Actually I guess that last part would make the addon folder belong to www-data too if I run one command after another. Is that intended?

I wonder if this could have some kind of security implications.
I guess www-data is somehow the friendica site and has permissions to do "what ever it wants" (-> "writable by the webserver user") with all the folders in the friendica directories if it's the owner of them.

@TupambAdmin [stable]

What is the www-data user?

I'm working through How To Serve Django Applications with uWSGI and Nginx on Ubuntu 16.04. At the end of the "Create a systemd Unit File for uWSGI" in the article they discuss the www-data user. W...

^{Ask Ubuntu}

@Friendica Support

Roland Häder likes this.

Unknown parent

utopiArte

Unknown parent • 11 months ago • •

> granting write rights only for the specific locations that need it

What folders would that be?

What I have seen so far that would be:
/storage
/view/smarty3
and
/config
but only while installing local.config.php

Something I don't understand is why I do have a few folders in:
/view/smarty/compiled
that belong to the user root.
How is that possible?
How can friendica create folders as and/or for root?

What should I expect to happen if I just delete those folders, or even delete the complete /compiled folder. I guess friendica would start from there to create the folder compiled and subfolders as needed?

I ask because there are those subdirectories belonging strangely to root and one of my issues is that when I switch to the theme FRIO I have no access anymore to the settings of that respective profile, not even to change back to VIER. That renders that profile nearly useless and I'm trying to get around that problem.

Friendica Support reshared this.

Unknown parent

utopiArte

Unknown parent • 11 months ago • •

I guess to just change all the folders/subfolders and files regardless of their ownership that would be:

rootname@VPShosting:/var/www/html/view/smarty3/# chown -R www-data:www-data compiled

Friendica Support reshared this.

in reply to utopiArte

utopiArte

in reply to utopiArte • 11 months ago • •

result:

What I don't get is where these ownership settings came from.
They were not even from a specific day or had anything specific in common:
https://tupambae.org/display/0ac89072-1865-63c1-9da8-4ab292183263

utopiArte

2023-11-26 22:07:25

Just checked all the 13 of 220 folders that were created as belonging to user and group root and that I consider shouldn't exist as owned by root i the folder /smarty3.
In general terms speaking I couldn't find a common property.
They refer to posts or replies by three different users.
Most refer to one specific post.
Two create a page:
Not Found
The requested item doesn't exist or has been deleted.
Request: XYZ
All were created with the theme VIER.

Friendica Support reshared this.

Unknown parent

utopiArte

Unknown parent • 11 months ago • •

Just checked the settings page of one of the profiles in question and yes, that fixed it.
thx
👍

(again, how could this possibly happen, shouldn't we look for some bug somewhere or do we just assume some quantum entanglement?)

Friendica Support reshared this.

Unknown parent

utopiArte

Unknown parent • 11 months ago • •

> That's a good list of exceptions.

In theory I could there for run the following commands to set all folders except /storage and /view/smarty3 to root:

set ownership of everything recursively to root:
rootname@VPShosting:/var/www/# chown -R root:root html

set ownership of storage and smarty3 recursively to www-data:
rootname@VPShosting:/var/www/html/# chown -R www-data:www-data storage
rootname@VPShosting:/var/www/html/view/# chown -R www-data:www-data smarty3

The change of ownership wouldn't affect the specific read/write permissions of files and folders and www-data would have only access to the folders needed.

right?

Friendica Support reshared this.

Unknown parent

utopiArte

Unknown parent • 11 months ago • •

Even tho there have been some trouble while setting up this installation what calls my attention ist that those folders had kinda random different dates of creation:

drwxr-xr-x 3 root root 4096 Nov 12 04:35 00
drwxr-xr-x 4 root root 4096 Nov 16 02:10 30
drwxr-xr-x 3 root root 4096 Nov 17 19:35 3e
drwxr-xr-x 3 root root 4096 Nov 11 01:57 49
drwxr-xr-x 3 root root 4096 Nov 16 22:25 4e
drwxr-xr-x 3 root root 4096 Nov 11 01:55 59
drwxr-xr-x 3 root root 4096 Nov 14 11:10 90
drwxr-xr-x 3 root root 4096 Nov 21 22:50 a3
drwxr-xr-x 3 root root 4096 Nov 23 00:45 a4
drwxr-xr-x 4 root root 4096 Nov 23 19:15 ae
drwxr-xr-x 3 root root 4096 Nov 23 20:35 b4
drwxr-xr-x 3 root root 4096 Nov 16 00:53 bf
drwxr-xr-x 3 root root 4096 Nov 14 11:10 e2

Friendica Support reshared this.

Unknown parent

utopiArte

Unknown parent • 11 months ago • •

Like to say this started with one folder being owned by root and from there others were created with the same ownership?

Friendica Support reshared this.

Unknown parent

utopiArte

Unknown parent • 11 months ago • •

That's what astonishes me.

My access is only via console SSH to the VPS and that shouldn't create any kind of cross implications with the firefox webbrowser that accesses the friendica installation.

Also apparently the installation itself was created the 8th of November, the first folder apparently the 11th of November so there was no relation to that.

If friendica is able to create a folder and files as root that's kinda scary isn't it?

Friendica Support reshared this.

Unknown parent

utopiArte

Unknown parent • 11 months ago • •

I ended up doing the following:

First I created a backup folder of the existing html folder and subdirectories:

root@VPShosting:/var/www# cp -r html html_01.bak

By default that created a copy with all files and folders owned by root.

Than I changed the ownership of storage and smarty3 to www-data:

root@VPShosting:/var/www/html_01.bak# chown -R www-data:www-data storage

Screen of the new user and group owner ship setting of the /html folder

root@VPShosting:/var/www/html_01.bak/view# chown -R www-data:www-data smarty3

Screen of the new user and group owner ship setting of the /view folder

Once everything looked "fine" I moved the existing html folder to a new name.

root@VPShosting:/var/www# mv html html_www-data_old

By moving [mv] instead of copying [cp] the ownership of files and folders aren't affected. Than I moved the copy with the new ownership settings into place:

root@VPShosting:/var/www# mv html_01.bak html

Well see how this setup behaves.
In any case I'll have the old version at hand to change to it if necessary.

Friendica Support reshared this.

Unknown parent

utopiArte

Unknown parent • 11 months ago • •

probably

Friendica Support reshared this.

⇧

utopiArte 11 months ago • •

utopiArte
11 months ago • •