Package: php-dompdf Version: 0.6.2+dfsg-3 Severity: normal
Hi. /var/cache/php-dompdf/fonts/ is shipped with owners www-data:www-data which is quite unfortunate for any proper production setup where the PHP code should of course not run with the user/group of the webserver (and thus have full access to any other stuff served by such webserver). Especially it affects any PHP SAPI other than mod_php, which allow (or enforce) to run as a different user, just as it should be. Now this directory is apparently needed for operation of php-dompdf, but write access will not work for users/group other than www-data. One way would be to use dpkg-statoverride, but that's IMHO also a bit limited. Could you possibly consider to go another way here? One, though I'm not sure whether this would work properly with php-dompdf, is what the main PHP packages to with the session store (i.e. /var/lib/php/sessions in PHP 7.0), they simply have permissions drwx-wx-wt root:root, but of course that may not be safe, depending on how well php-dompdf is programmed for that. The other would be to not use www-data but e.g. root:<some special group>, and people could add those users who are allowed to write, to that group,... e.g. www-data, or cgi-suexec. Cheers, Chris.