Page 1 of 1
Fix Permissions "Security" Note Debian/Ubuntu
Posted: Fri Feb 07, 2020 12:40 am
by bbunge
Prior version of my install procedure and install script contained a "Fix Permissions: chown -R www-data:www-data /usr/share/zoneminder/" step.
It has been brought to my attention that this could allow the www-data user to write in this area which is not a good thing.
To correct this on your system run, as root: chown -R root:root /usr/share/zoneminder/
Re: Fix Permissions "Security" Note Debian/Ubuntu
Posted: Fri Feb 07, 2020 1:46 pm
by iconnor
For some historical context, we used to store events in /usr/share/zoneminder/events and that dir has to be owned by www-data. Same with /usr/share/zoneminder/images etc. I fixed that in 1.32. So there should be no need for write access to anything under /usr/share/zoneminder.
all that stuff got moved to /var/cache/zoneminder/ in ubuntu or more rightly /var/lib/zoneminder in redhat.
So the line should probably be to chown www-data /var/cache/zoneminder ot chwon www-data /var/lib/zoneminder as appropriate.
Re: Fix Permissions "Security" Note Debian/Ubuntu
Posted: Fri Feb 07, 2020 4:13 pm
by bbunge
Just checked my latest Ubuntu Zoneminder production server. /var/cache/zoneminder is at www-data:www-data (set by the Zoneminder install)
As a reminder for those using additional storage such as another HD or remote NAS the storage directory on the drive/device needs to be owned by www-data