Question regarding users and groups and security

[conta]

Hi there,

so I have matomo installed on FreeBSD machine and files looks like this:

-rw-r--r--   1 root  wheel   67626 Sep  1 23:21 CHANGELOG.md
-rw-r--r--   1 root  wheel     928 Sep  1 23:21 CONTRIBUTING.md
-rw-r--r--   1 root  wheel    8057 Sep  1 23:21 LEGALNOTICE
-rw-r--r--   1 root  wheel   35146 Sep  1 23:21 LICENSE
-rw-r--r--   1 root  wheel    4616 Sep  1 23:21 PRIVACY.md
-rw-r--r--   1 root  wheel    5448 Sep  1 23:21 README.md
-rw-r--r--   1 root  wheel    1061 Sep  1 23:21 SECURITY.md
-rw-r--r--   1 root  wheel     998 Sep  1 23:21 bower.json
-rw-r--r--   1 root  wheel    3721 Sep  1 23:21 composer.json
-rw-r--r--   1 root  wheel  116301 Sep  1 23:21 composer.lock
drwxr-xr-x   3 www   www       512 Oct  8 12:41 config
-rw-r--r--   1 root  wheel     689 Sep  1 23:21 console
drwxr-xr-x  49 root  wheel    4096 Oct  6 16:32 core
-rw-r--r--   1 root  wheel     730 Sep  1 23:21 index.php
drwxr-xr-x   2 root  wheel     512 Oct  6 16:32 js
drwxr-xr-x   2 root  wheel    2048 Oct  6 16:32 lang
drwxr-xr-x  11 root  wheel     512 Oct  6 16:32 libs
drwxr-xr-x  10 root  wheel     512 Oct 11 08:28 misc
-rw-r--r--   1 www   www     65403 Sep  1 23:21 piwik.js
-rw-r--r--   1 root  wheel    2760 Sep  1 23:21 piwik.php
drwxr-xr-x  72 root  wheel    1536 Oct  6 16:32 plugins
drwxr-xr-x   2 root  wheel     512 Oct  6 16:32 tests
drwxr-xr-x  10 www   www       512 Oct  8 12:41 tmp
drwxr-xr-x  22 root  wheel     512 Oct  6 16:32 vendor

I am trying to install some plugin for it and it gives error with this:

Matomo couldn't write to some directories  (running as user 'www').
Try to Execute the following commands on your server, to allow Write access on these directories:
[INDENT]chown -R www:www /usr/local/www/matomo[/INDENT]
[INDENT]chmod -R 0755 /usr/local/www/matomo/plugins[/INDENT]

I'm not at home with this stuff, so I am wondering if it's good idea to follow through.

 

[ShelLuser]

I'm not at home with this stuff, so I am wondering if it's good idea to follow through.

Then why not read up about it? These are very trivial issues and they're fully explained (with several other things) in Chapter 3 of the FreeBSD handbook. Now, I'm not trying to go RTFM on you but obviously you're a little worried about security. So why trust strangers on a forum to tell you if this is right or not instead of looking it up in the official documentation? Security starts with a basic understanding of what you're doing.

Alas: I would definitely not use the first chmod command. It would give the www user full control over the directory structure and that's not healthy. You do not want to give a webservice the ability to pretty much rewrite its own executables. The configuration is one thing, but the rest should remain locked.

The second chown command on the other hand should be no problem. It's most likely also where your problems come from. After that the web service will be able to write to the plugins directory thus allowing it to store new plugins. Since it already has write access to the config directory it seems that it would also be able to change the configuration and make the system aware of the new plugin.

 

[conta]

Thanks ;] That's what I was looking for ;]