823097 – PHP document root is writable by Apache

Bug 823097 - PHP document root is writable by Apache

Summary: PHP document root is writable by Apache

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	OKD
Classification:	Red Hat
Component:	Containers
Sub Component:
Version:	1.x
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	Rob Millner
QA Contact:	libra bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-05-19 03:35 UTC by Steve Meyers
Modified:	2013-11-18 00:39 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-05-31 00:35:46 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Steve Meyers 2012-05-19 03:35:54 UTC

In the PHP environment, the php/ directory (the document root) is writable by Apache.  This is generally considered a major security problem.  I understand that many popular software packages (WordPress, among others) prefer to have a writable document root, so they can manage their own code.  It would be good to at least have that default to non-writable, and allow people to disable the more secure setting at their own risk.

Comment 1 Rob Millner 2012-05-21 18:39:43 UTC

We may not be able to change this due to how the application environment and work-flow are setup. Taking the ticket in to discuss what we can do.

Comment 2 Mike McGrath 2012-05-29 21:08:34 UTC

We have a fix planned for this that will enable / disable high security mode.  In high security mode, what you're wanting to do (apache not writing to the php/ directroy) won't be allowed.  Unfortunately I don't have an ETA for that.

Comment 3 Rob Millner 2012-05-31 00:35:46 UTC

Since this specifies a future feature we're planning that's a ways off, I'm going to close the ticket out as a deferred request.

Note You need to log in before you can comment on or make changes to this bug.