We've done some tidying + a new cluster!
Posted: 19th Dec 2021
You might have noticed some updates to the base PHP and Nginx software included in your bundles over the last few days. These updates are related to some changes we've made to make your Craft project more secure and use a simpler set of file and folder permissions.
'root', Eliminated
The biggest change we've made is completely eliminating the root user from all of your project's components.
Previously, when you ran top within a shell into one of your project's instances - you will have seen at least one process executed as root at the base of the process tree. Having a process executing as root is pretty normal on Linux systems, but it's one of the primary ways in which malicious users can attempt 'privilege escalation' - escaping from the limitations of the user under which PHP is running and adopting the limitations (or lack of) of its parent processes.
By completely removing the use of any 'root' privileged processes the risk of escalation is vastly reduced - even if a new zero-day vulnerability in PHP is found.
We've applied this change, along with a lot of accompanying adjustments to all components within your projects, and the changes will be included with any bundles built from this point forward.
File and Folder Permissions
We've also streamlined the file and folder permissions used on the filesystem for your projects. Specifically we've:
- Switched the vendor folder from root ownership over to www-data (the PHP user).
- Tightened up the permissions on the cpresources folder which was previously a bit lax because this folder is shared between multiple components.
- Switched any post-deploy tasks to run as the www-data user instead of root which was the case previously due to... technical reasons.
In general, everything inside the base directory for your project files is now owned and operated by www-data and has tighter access permissions.
And a new Cluster
This week we brought us-east-3 online! 🎉
Any new projects created in New York will live in this new cluster. There's nothing different about it, but we like to keep our clusters to a maximum size in order to ensure no platform level services come under too much strain. So give it a whirl and let us know if you run into any issues.
