Hi,
Dolibarr runs as default apache user due to which we have to give write permission on our web server. This opens a security issue for a trojan horse that creates CCX, XT and kjagffassay23451 folders with malfunction code in PHP.
In order to avoid this mess, it would be great to have Dolibarr to run as a different user other than standard Apache user (like www-data).
Does any one implemented this…? If yes, can you kindly share the process please.
thanks
yesbee
You only have to give write permission to some folders, others can be read only.
Then your Apache has to run as a different user - OR - spawn the Dolibarr PHP code to run as a different user.
Sort of.
I run my Dolibarr as a container using the Tuxgasy image. This runs in a podman container on a small linux VPS that I pay about €5 pr. month.
Next to that I run some other containers, naturally a database, but also some Python Flask containers with my own code with a form for dance class registration system as well as some overview pages of the class participants and their waitlist/accept/payment status.
In my development setup I also have a phpmyadmin container so I can peak behind the curtain.
In front of all this I run another container, nginx, that proxies all the dolibarr and flask python content into 2 different hostnames which nginx exposes to the internet.
You must NOT (never) give write permission on Dolibarr files. Only the directory /custom (if you allow to upload modules) and the directory documents (that is stored outside of the web server files) must have write access. Dolibarr was designed to run with readonly files with no permission for the web server user to change this (Dolibarr does not need this).
You can set your apache, ngix virtual host to run under another user than the default apache user.
I use mod_itk so i can use several hosted instances and each instance has its own unix user, but if you have just 1 instance, you can choose the user with no need of this apache module. If you use factcgi php-fpm, you can also do it easily by setup. It is a web server setup. A web application (like Dolibarr) can’t decide its running user instead of the web server.
