I have a group of users (content editors) who need read-write access to apache document root. The apache web server is running as user:apache and group:apache. The filesystem permissions are currently set as apache:apache. How should I modify filesystem permission so that content editors can have read-write permissions and webserver can serve files as well? Following is what I have setup now, but I am not sure whether it is a good configuration. I appreciate any comments or suggestions regarding this.*

<setup>chown -R apache:contenteditors /var/www/html*chmod u=rx /var/www/htmlchmod g+w /var/www/html*chmod g+s /var/www/html*
Add people editing web/html files to contenteditors group.*
<setup>
thanks,jM.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

User apache only needs read access except under special conditions, such as
a script that needs to store configuration in a file. And a lot of apps
store their state in a DB so they don't need filesystem write access at
all.

Set the permissions as strict as possible, so that if an attacker finds a
bug in apache, he does as little damage as possible.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On Wed, May 4, 2011 at 12:58 PM, Kenneth Porter <shiva@sewingwitch.com> wrote:


User apache only needs read access except under special conditions, such as

a script that needs to store configuration in a file. And a lot of apps

store their state in a DB so they don't need filesystem write access at

all.



Set the permissions as strict as possible, so that if an attacker finds a

bug in apache, he does as little damage as possible.

_______________________________________________

CentOS mailing list

CentOS@centos.org

http://lists.centos.org/mailman/listinfo/centos




Thanks for the suggestions Richard and Kenneth. I installed drupal here and it requires user running apache to have write access on filesystem. Otherwise it complains:*'The directory sites/default/files is not writable'. The content editors/developers need write access to theme/pictures folders. So it seems like I can't avoid giving write access to apache user. Any hacks or tips here?


jM.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On 05/04/2011 02:49 PM, Johan Martinez wrote:
>
>
> On Wed, May 4, 2011 at 12:58 PM, Kenneth Porter <shiva@sewingwitch.com
> <mailto:shiva@sewingwitch.com>> wrote:
>
> User apache only needs read access except under special conditions,
> such as
> a script that needs to store configuration in a file. And a lot of apps
> store their state in a DB so they don't need filesystem write access at
> all.
>
> Set the permissions as strict as possible, so that if an attacker
> finds a
> bug in apache, he does as little damage as possible.
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org <mailto:CentOS@centos.org>
> http://lists.centos.org/mailman/listinfo/centos
>
>
>
> Thanks for the suggestions Richard and Kenneth. I installed drupal here
> and it requires user running apache to have write access on filesystem.
> Otherwise it complains: 'The directory sites/default/files is not
> writable'. The content editors/developers need write access to
> theme/pictures folders. So it seems like I can't avoid giving write
> access to apache user. Any hacks or tips here?

You may not need it in this case, but you can set up your mount using
acls, then use setfacl to assign more than just one group or user to
have permissions on a directory. You can keep that in mind if httpd
gets upset about having a different group than apache.

http://computernetworkingnotes.com/rhce_certification/acl.htm

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Johan Martinez wrote on Wed, 4 May 2011 14:49:52 -0500:

> Thanks for the suggestions Richard and Kenneth. I installed drupal here and
> it requires user running apache to have write access on filesystem.

Assuming you are running mod_php and safe_mode: that is probably because of
PHP safe_mode. You didn't tell you were going to write to that area with
drupal. That's a completely different picture then! You really have to give
the complete picture.

In PHP safe_mode you can:
a) have all php files and the write area owned by apache
b) have all php files owned by a user and the write area writable by apache
but owned by the user (*)
c) have all php files owned by the user, group-owned by apache and the write
-area group-owned by apache and owned by the user and use safe_mode_gid
instead of safe_mode.

(*) this doesn't work if you create subdirectories because they get the wrong
permissions and apache can't pass thru

I think the most-used scenario is b). You will have to do some research to
see what fits your setup best. (php.net/safe_mode). Also note that safe_mode
is discouraged "officially" now since it isn't 100% reliable. However, I
strongly advise using it if possible as long as it is available.

Kai


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On Wednesday, May 04, 2011 10:49 PM +0200 Kai Schaetzl
<maillists@conactive.com> wrote:

> b) have all php files owned by a user and the write area writable by
> apache but owned by the user (*)

> (*) this doesn't work if you create subdirectories because they get the
> wrong permissions and apache can't pass thru

Make the writable directories SGID and any files and subdirectories created
there will inherit the group ownership:

<http://www.library.yale.edu/wsg/docs/permissions/sgid.htm>
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Kenneth Porter wrote on Wed, 04 May 2011 14:12:32 -0700:

> Make the writable directories SGID and any files and subdirectories created
> there will inherit the group ownership:

AFAIK, this works on Unix, but not on Linux. On Linux you have to use ACLs, as
Johnny already pointed to.

Kai


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On Thu, May 05, 2011 at 12:31:15AM +0200, Kai Schaetzl wrote:
> Kenneth Porter wrote on Wed, 04 May 2011 14:12:32 -0700:
>
> > Make the writable directories SGID and any files and subdirectories created
> > there will inherit the group ownership:
>
> AFAIK, this works on Unix, but not on Linux. On Linux you have to use ACLs, as

It works on Linux.

$ id -a
uid=500(sweh) gid=500(sweh) groups=0(root),500(sweh),501(vboxusers)
$ ls -ld .
drwxr-sr-x 2 sweh bin 4096 May 4 18:33 ./
$ ls -l hmmm
/bin/ls: hmmm: No such file or directory
$ touch hmmm
$ ls -ld hmmm
-rw-r--r-- 1 sweh bin 0 May 4 18:33 hmmm

So the file I just created is in group bin even though I am not in that
group.

--

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On 05/04/2011 12:49 PM, Johan Martinez wrote:
> Thanks for the suggestions Richard and Kenneth. I installed drupal here
> and it requires user running apache to have write access on filesystem.
> Otherwise it complains: 'The directory sites/default/files is not
> writable'. The content editors/developers need write access to
> theme/pictures folders. So it seems like I can't avoid giving write
> access to apache user. Any hacks or tips here?

Tip 1:
Your files and directories can have different permissions. Rather than
your original setup, try:

chown -R apache:contenteditors /var/www/html
find /var/www/html -type f -exec chmod 0464 {} +
find /var/www/html -type d -exec chmod 2575 {} +

or:

chown -R apache:apache /var/www/html
find /var/www/html -type f -exec setfacl -m g:contenteditors:rw {} +
find /var/www/html -type d -exec setfacl -m g:contenteditors:rwx {} +

Tip 2:
Don't install drupal in /var/www/html. Generally, /var/www/html should
be used only for static content. Web applications should be installed
outside the document root to prevent a misconfiguration from allowing
remote clients from downloading files that might contain configurations,
passwords, or other sensitive information. See the rpm packaged drupal
for an example of how this is done.

Tip 3:
If your application says that it needs write access to
"sites/default/files", then add write access only for that directory.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On Wed, May 4, 2011 at 7:38 PM, Gordon Messmer <yinyang@eburg.com> wrote:

On 05/04/2011 12:49 PM, Johan Martinez wrote:

> Thanks for the suggestions Richard and Kenneth. I installed drupal here

> and it requires user running apache to have write access on filesystem.

> Otherwise it complains: 'The directory sites/default/files is not

> writable'. The content editors/developers need write access to

> theme/pictures folders. So it seems like I can't avoid giving write

> access to apache user. Any hacks or tips here?



Tip 1:

Your files and directories can have different permissions. *Rather than

your original setup, try:



chown -R apache:contenteditors /var/www/html

find /var/www/html -type f -exec chmod 0464 {} +

find /var/www/html -type d -exec chmod 2575 {} +



or:



chown -R apache:apache /var/www/html

find /var/www/html -type f -exec setfacl -m g:contenteditors:rw {} +

find /var/www/html -type d -exec setfacl -m g:contenteditors:rwx {} +



Tip 2:

Don't install drupal in /var/www/html. *Generally, /var/www/html should

be used only for static content. *Web applications should be installed

outside the document root to prevent a misconfiguration from allowing

remote clients from downloading files that might contain configurations,

passwords, or other sensitive information. *See the rpm packaged drupal

for an example of how this is done.



Tip 3:

If your application says that it needs write access to

"sites/default/files", then add write access only for that directory.

_______________________________________________

CentOS mailing list

CentOS@centos.org

http://lists.centos.org/mailman/listinfo/centos



Thanks for the suggestions everyone. I am using following config for now.*
* Moved drupal install outside document root and used alias for the namespace mapping.*
* Filesystem ownership: apache:contenteditors* Filesystem permissions: u=rx, g=rwx, group with sticky bit set. Exception of 'sites/default/files' on which apache has write permissions.*

jM
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos