LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-17-2013, 12:44 PM   #16
sneakyimp
Senior Member
 
Registered: Dec 2004
Posts: 1,001

Rep: Reputation: 67

Quote:
Originally Posted by misterpiddles View Post
Given the Apache user and group are the same as the Linux user and group, should the files not have write permissions for either user or group for security purposes?
Apache only needs read permission in order to display an html or execute a PHP file, but the PHP file (or cgi-bin or whatever) may be coded to write directories or files on the server. Apache would need write access to any files that you do actually want it to write. Removing write permissions is a bit like making a file read-only on your desktop or laptop so you can be sure you don't delete it or overwrite it or whatever.

Quote:
Originally Posted by misterpiddles View Post
And if the answer is yes, that there should only be read authority, how would we copy files from a testing environment to the live site without getting permission errors?
This is a good question and is more evidence for why I don't like the apache user being the same as my linux account user. I'm not sure how you typically upload/deploy files to your web server, but you might consider using SVN or GIT for source control and then supplementing that with a bash script or something that sets permissions correctly. If you need help with some sweeping permission-setting commands, I could probably help.
 
Old 01-17-2013, 12:49 PM   #17
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,599

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
Quote:
Originally Posted by misterpiddles View Post
So looking at the httpd.conf file, the User and Group are being set to the same value as the owner and group for all the Linux files on the site. The value is the App Name, we'll call it "appuser".

A typical file's permission on the site looks like this:

-rwxr-xr-- 1 appuser appuser 1923 Oct 18 16:21 phpview.php

Given the Apache user and group are the same as the Linux user and group, should the files not have write permissions for either user or group for security purposes?

And if the answer is yes, that there should only be read authority, how would we copy files from a testing environment to the live site without getting permission errors?
It depends on the system.

Using just the DAC permission controls, the apache server would be running with only group access to the files. That allows the owner of the directory tree to set what permissions the server has. It also allows the owner (logged in as a user) to move files around however they want. Apache would only have group permissions, the user would have all permissions.

In the RH/CentOS/Fedora model, a user logged as the apache login would have full access... The server is labeled with reduced capability. So even if the owner of a file is the apache UID, apache running under that UID still doesn't necessarily have permission to access.

It isn't perfect. But SELinux does allow sandboxing applications that are not usually restrained.
 
Old 01-17-2013, 12:53 PM   #18
sneakyimp
Senior Member
 
Registered: Dec 2004
Posts: 1,001

Rep: Reputation: 67
Quote:
Originally Posted by jpollard View Post
Using just the DAC permission controls, the apache server would be running with only group access to the files. That allows the owner of the directory tree to set what permissions the server has. It also allows the owner (logged in as a user) to move files around however they want. Apache would only have group permissions, the user would have all permissions.
I believe misterpiddles means to say that Apache is running as "appuser" rather than www-data or apache and all of the files in his webroot are owned and grouped to appuser. In this case, apache is both user and group owner of the files. This is not uncommon in shared hosting situations. I don't recall if it's WHM or CPanel or Plesk that does things this way, but I don't like it much.
 
Old 01-17-2013, 12:58 PM   #19
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,599

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
Ah yes. that does introduce problems.

I ran across one rather large web hosting facility with that problem. Any site that had a problem automatically grants full access to everything... This is the primary vulnerability with all muli-site servers (aka virtual servers...).

Didn't like it then, and reported it to both the vendor and upper management. I think management dropped their contract, but not sure.
 
Old 01-17-2013, 01:41 PM   #20
misterpiddles
LQ Newbie
 
Registered: Nov 2012
Location: Boston-ish, MA, USA
Distribution: Debian
Posts: 17

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by sneakyimp View Post
I believe misterpiddles means to say that Apache is running as "appuser" rather than www-data or apache and all of the files in his webroot are owned and grouped to appuser. In this case, apache is both user and group owner of the files. This is not uncommon in shared hosting situations. I don't recall if it's WHM or CPanel or Plesk that does things this way, but I don't like it much.
Yes, you're right, sneakyimp. I'm only a newb to real-world production LAMP environments (my prior experience is using PHP on my home Windows machine), but the security doesn't sound great.

Last edited by misterpiddles; 01-17-2013 at 02:07 PM. Reason: spelling
 
Old 01-17-2013, 02:07 PM   #21
sneakyimp
Senior Member
 
Registered: Dec 2004
Posts: 1,001

Rep: Reputation: 67
Don't confuse your current LAMP environment with all "real world LAMP environments." Shared hosting is an entirely different thing than a custom-configured LAMP server. The lax security is almost entirely attributable to the tools used to maintain the server. Most web hosting companies I know run racks of dedicated servers that all have a LAMP stack management tool like CPanel or Web Host Manager (WHM) or Plesk. These stack management tools are very convenient in that they automatically configure new virtual hosts, new email accounts, etc. with a nice browser-hosted GUI, but this convenience comes at a cost.

Most hosting companies don't want to pay a bazillion customer support reps to man the phones because all of their customers are having trouble installing Joomla or WordPress. They just assign blank write permissions to the entire webroot to Apache and are done with it. These stack management tools, knowing this, are complicit in this colossal security failure.

I have learned over the past few years to install my OS from scratch (or allocate a compute instance in the Amazon or rackspace cloud) and install all of the elements of the lamp stack using package management tools. UnSpawn has also been kind enough to describe a variety of powerful ways to keep your server secure.

I believe it was best said by the amazing Bruce Schneier. I may be paraphrasing, but I believe it was "security is not something you can buy, it is something you must get."

If you are interested in a really secure operating system, I understand that FreeBSD has a great reputation. If you are interested in learning to set up your own server, consider learning a bit about Amazon EC2 -- it's awesome and you can allocate a small server for like $20 a month or something and do whatever you like with it. Actually, they charge by the minute I think so you could allocate one for an hour or two and then shut it down. Then fire it up again later.
 
Old 01-17-2013, 02:11 PM   #22
misterpiddles
LQ Newbie
 
Registered: Nov 2012
Location: Boston-ish, MA, USA
Distribution: Debian
Posts: 17

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by sneakyimp View Post
Don't confuse your current LAMP environment with all "real world LAMP environments." Shared hosting is an entirely different thing than a custom-configured LAMP server. The lax security is almost entirely attributable to the tools used to maintain the server. Most web hosting companies I know run racks of dedicated servers that all have a LAMP stack management tool like CPanel or Web Host Manager (WHM) or Plesk. These stack management tools are very convenient in that they automatically configure new virtual hosts, new email accounts, etc. with a nice browser-hosted GUI, but this convenience comes at a cost...
Actually, I'm not working on a shared-hosting server. It's existing LAMP software that my company purchased and I'm customizing it (or at least 'attempting' to, lol).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
DISCUSSION: Quick and Dirty Guide to Linux File Permissions bulliver LinuxAnswers Discussion 32 12-19-2011 11:36 PM
DISCUSSION: NNP's Quick and Dirty Linux Kernel Compilation Guide NNP LinuxAnswers Discussion 0 03-09-2006 03:25 PM
Quick and dirty cryptography guide. Linux.tar.gz Linux - Security 4 03-25-2005 03:16 PM
quick and dirty guide on installing GRUB markus1982 Linux - Software 1 05-26-2003 12:56 PM
quick and dirty guide on installing grub markus1982 Linux - General 0 04-10-2003 04:56 AM


All times are GMT -5. The time now is 05:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration