Use a dedicated UNIX user instead of the webserver's user

[raphj]

Hi,

Passbolt doesn't need to run as the same UNIX user as the webserver (let's assume www-data), and probably shouldn't.

A dedicated user would probably be safer:

• it might help limit the impact of a security issue impacting the http proxy (nginx or Apache)
• it might help limit the impact of a security issue impacting anything else running under the www-data users, which might be WordPress websites or Nextcloud installs, or anything PHP, with a huge attack surface, because it is the default user and I suspect many don't configure a dedicated php-fpm pool with a dedicated user for each service, and rather use the default www.conf pool.
• if Passbolt gets compromised, it might help limit access to other things as well

Passbolt could create a dedicated passbolt.conf pool with its own user. Having a dedicated pool has other advantages such as not sharing workers with a pool that might get overloaded for instance.

The security implications are especially true on a server with several services, but are also true for a server dedicated to Passbolt.

I hope I reported this issue at the right place, I'll be happy to move it somewhere else desirable.

Thanks for this amazing shared password manager, very appreciated.

[dlen]

This makes much sense thanks for your contribution @raphj. We'll schedule some time to work on it as it might impact the upgrade path for users with passbolt already installed so testing will take some time.