Re: Those pesky Apache permissions (was Re: (kein Betreff))

Hello!
Sorry, for answering to you as a PM and for giving you so late my reply!
The problem has been solved and i wanted to thank you for your
support,really appreciated!
Also i wanted to thank you for the really good walkthrough(written with
a good sense of humour ;) ),splendid advices!
The only thing ,that i'm still missing is ,that the user(of that
group:33) can't rename the file index.html(example:to index.htm or to
index2.html),but replacing it with a new version of the file works
wonderful using winSCP3.
I have changed the group ownership of the folder containing the whole
data for the html-site(every file has the group
ownership(33)-rekursiv),the funny thing was, that before doing this
,only the root was the owner of that folder and root was the group owner....
If you have also good advices for books regarding apache webserver,i
would be thankful ,if you let me know!
Nice time and kindest regards!

krassen

David Tonhofer, m-plify S.A. schrieb:

--On Thursday, March 02, 2006 10:05 PM +0100 Krassen Deltchev
<deltchev@xxxxxxxxxxxxx> wrote:

Hello,

i have a very odd problem:


Woah! Serious trouble, man (just joking but arm yourself with courage
to climb the learning curve...). And get a good book.

Here's what you want to do:

1) Any apache-related stuff is often best asked in the apache
discussion group.. err here:
<http://httpd.apache.org/lists.html#http-users>

2) About the permissions question:

a) Make sure apache is running non-root. What does ps faux show?
Something like this? Good. The apache user is configured in
httpd.conf

root 25695 0.0 0.0 120016 1736 ? Ss Feb12 0:00
/usr/local/apache2/bin/httpd -DSSL -DTOMCAT -DPHP
apache 18361 0.0 0.1 120392 5084 ? S Mar01 0:00 \_
/usr/local/apache2/bin/httpd -DSSL -DTOMCAT -DPHP
apache 2411 0.0 0.1 120504 5156 ? S 14:19 0:00 \_
/usr/local/apache2/bin/httpd -DSSL -DTOMCAT -DPHP
apache 2521 0.0 0.1 120544 5248 ? S 14:19 0:00 \_
/usr/local/apache2/bin/httpd -DSSL -DTOMCAT -DPHP
apache 2522 0.0 0.1 120520 5204 ? S 14:19 0:00 \_
/usr/local/apache2/bin/httpd -DSSL -DTOMCAT -DPHP

b) Webspace file permission have nothing to do with httpd.conf
It has everything to do with the OS.

What you want is:

WORLD

Make sure the files in the website can be read by the user running the
webserver (apache or httpd) -> make them world-readable, directories
executable.

Make sure the files in the website cannot be modified by the user
running the
webserver (apache or httpd) -> make them not-world-writeable

GROUP

You have a special group that can change stuff (group 33). All the
stuff
on the site should be owned by that group. The group must be able to
read and write files and to read, write, execute directories.
ADDITIONALLY, newly created files and directories need to 'inherit'
the group ownership. Set the 'group setuid' bit on the directories.
(chmod g+s)

Edit /etc/group and put all your user 1002 1003 1004 into that group
(vigr). Users should be able to modify files and directories as these
files and directories are writeable by group 33.

However, suppose user 1003, primary group 1003, creates a new file.
In that case, the file is owned by group 1003 instead of 33.
Not good. So we have to set the 'setuid group' flags on the
directories.
That way, the directories transfer their group ownership to newly
created child directories (quite a hack, eh?) That flag is inherited
through a newly created directory hierarchy. Which is nice.

Adding the directory 'setuid group' flag is done by:

chmod g+s bar (see the find command below)

USER

The owning user may be root for example. It's not that important.
Permissions may be rwx (but make sure you have no setuid root
executables
in there... :-P

Commands:

find /var/my/website -type f -exec chmod u=rw,g=rw,o=r '{}' ';'
find /var/my/website -type d -exec chmod u=rwx,g=rwxs,o=rx '{}' ';'
find /var/my/website -exec chown root.33 '{}' ';'



No guarantees on anything....

Good luck.



--
----

Krassen Deltchev
Ruhr-Universität Bochum
Medizinische Fakultät
Institut für Physiologie
Abteilung für Neurophysiologie
MA 4-155
Universitätsstrasse 150
44801 Bochum
e-mail: deltchev@xxxxxxxxxxxxx
Krassen.Deltchev@xxxxxx
tel.work: 0234.32.24918

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

Relevant Pages

  • Those pesky Apache permissions (was Re: (kein Betreff))
    ... Any apache-related stuff is often best asked in the apache ... read and write files and to read, write, execute directories. ... So we have to set the 'setuid group' flags on the directories. ... Adding the directory 'setuid group' flag is done by: ...
    (RedHat)
  • Re: Hardening a Solaris system.
    ... > I know files that execute with root permissions by normal users (e.g. ... > I've set up a web server, running Apache, so are thinking about what I ... > 4) Not installed any man pages, so someone not knowing a Solaris ... I suspect it's not possible to remove all ...
    (comp.unix.solaris)
  • [Full-disclosure] Security Alert - The OS X Zombies
    ... A number of OS X boxes have in fact been compromised. ... still others through their Apache servers. ... [Which all is hardly news for beleaguered Windows system administrators. ... Use of remote root login, especially to boxes connected to the ...
    (Full-Disclosure)
  • Re: Subversion web development question.
    ... Because /usr/local/www/apache22/data is owned by root. ... I know that you can configure Apache to point to any directory, but was unsure of the consequences of pointing it at directories outside of ... > The development server is at the data center. ... > looks for the document root in a 'cpr' in our home directory. ...
    (freebsd-questions)
  • setpeuid(pid_t, uid_t) proposal
    ... Apache sends and receives HTTP posts, ... Apache on the server must either a) run as root, ... The request comes with authentication information (in a number ... This daemon is highly audited and does one purpose, ...
    (Linux-Kernel)