I'm rebuilding my web server and (finally) moving to a newer
configuration that should finally bring some more decent security and
performance. However there are quite a few questions I have left and I
have trouble finding information about. Hopefully some knowledgeable
people can give me the practical information about this...
From a lot older mail I got this advice ("Server hacked" thread at 1 &
2 january 2008):
Res wrote:
> On Wed, 2 Jan 2008, Joris Dobbelsteen wrote:
>> At least there are some lessons in this:
>> * Use one-user-per-website only (easier auditing).
>
> Good idea...
>
> Dirs should be 710 for htdocs root
> eg: chmod 710 /var/www/vhosts
> chmod 710 /var/www/vhosts/example.com
> chmod 710 /var/www/vhosts/example.net
This would imply that
- user can do anything
- group can enter the directory (and nothing more?)
> Ensure the users who own those domains are the only ones with access,
> except group must be web server.
> eg: chown -R jack.apache /var/www/vhosts/example.com
> chown -R jill.apache /var/www/vhosts/example.net
In this case I'm puzzled how:
* apache, as the user is capable of actually reading htdocs.
> Use suexec in every virtualhost block in Apache
> eg: SuexecUserGroup jack apache
I didn't do this, instead I did SuexecUserGroup user user
If I do "SuexecUserGroup user apache", how does this isolate the
different users? As apache web server is capable of reading (through
group permissions), so should the user? Or what am I missing?
Any help, hints, pointers and good advice for this?
- Joris
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
06-25-2008, 09:25 PM
Carl Friis-Hansen
Web server security: file permissions
Joris Dobbelsteen wrote:
> <snip>
> > Dirs should be 710 for htdocs root
> > eg: chmod 710 /var/www/vhosts
> > chmod 710 /var/www/vhosts/example.com
> > chmod 710 /var/www/vhosts/example.net
>
> This would imply that
> - user can do anything
> - group can enter the directory (and nothing more?)
>
> > Ensure the users who own those domains are the only ones with access,
> > except group must be web server.
> > eg: chown -R jack.apache /var/www/vhosts/example.com
> > chown -R jill.apache /var/www/vhosts/example.net
>
> /var/www/vhost/example.com 755 user:user
> /var/www/vhost/example.com/cgi-bin 555 user:user
> /var/www/vhost/example.com/htdocs 750 user:apache
>
> In this case I'm puzzled how:
> * apache, as the user is capable of actually reading htdocs.
>
> > Use suexec in every virtualhost block in Apache
> > eg: SuexecUserGroup jack apache
> </snip>
It will work. Directories need bit 0 set (x) for both user(owner) and
web server(group) so that both fellows can get into these. Only owner
needs to write - normally. Give write permission to web server(group) in
cases like log files and directories where people can upload pictures or
other files. Meke sure the FTP server sets user:www-data and 640 for all
files.
I have a https web page where my users can login and change permissions
on all files below their document root, exept for the logs directory.
Web server security: file permissions
