Hi.

/var/lib/php-htmlpurifier/Serializer/ is shipped with owners www-data:www-data
which is quite unfortunate for any proper production setup where the PHP
code should of course not run with the user/group of the webserver (and thus
have full access to any other stuff served by such webserver).

Especially it affects any PHP SAPI other than mod_php, which allow (or enforce)
to run as a different user, just as it should be.

Now this directory is apparently needed for operation of php-htmlpurifier,
but write access will not work for users/group other than www-data.


One way would be to use dpkg-statoverride, but that's IMHO also a bit limited.


Could you possibly consider to go another way here?
One, though I'm not sure whether this would work properly with php-htmlpurifier,
is what the main PHP packages to with the session store (i.e. /var/lib/php/sessions
in PHP 7.0), they simply have permissions drwx-wx-wt root:root, but of course
that may not be safe, depending on how well htmlpurifier is programmed for that

The other would be to not use www-data but e.g. root:<some special group>, and people
could add those users who are allowed to write, to that group,... e.g. www-data,
or cgi-suexec.

Cheers,
Chris.