Xibo on CentOS 7 web server: permissions?


I’m new to this forum, so let me introduce myself. I’m a 50-year old Austrian living in South France, and I’m the manager/admin of Microlinux, a small IT company with a focus on Linux and Open Source software.

I’m currently experimenting with Xibo on one of my servers. I’ve read the documentation and several tutorials, I took extensive notes, and now I have a few questions. First things first.

I didn’t opt for the Docker installation, since I prefer the “classic” web server setup. All my public machines are currently running CentOS 7.

So far all the checkboxes in the installation script are checked. Apache and PHP are fine, all PHP modules are installed, and Xibo is running nicely.

The various tutorials give rather wide permissions to the installation, and everything is supposed to belong to the user and the group running the web server, which in my case is apache:apache.

This is bad policy however, so I’d like to restrict this to the bare minimum. Here’s my question to the devs:

Which files/directories does the application need to write to?

Usually all my various web applications (OwnCloud, WordPress, Dolibarr, etc.) are owned by a non-root user, and only when the application needs to write somewhere, the file/directory is owned by user:apache, with file permissions usually set to 0660 and directories to 0770.

Any suggestions?


Off the top of my head, it’ll need to write to cache, library and all subdirectories (or wherever you’ve located your CMS library), web directory (to create settings.php during installation), web/install so it can delete index.php during installation.

You may need to experiment a little yourself if you want to go for that level of lockdown.

A Docker installation would give you much greater security however, as it fully isolates the application from the host machine, and the other applications running on the server.

Thanks for the heads-up. I’m currently putting your advice into practice, and it seems to work. I have yet to get a better grasp on Docker before using it in production.