LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-16-2009, 08:39 AM   #1
Karas
Member
 
Registered: Oct 2009
Distribution: Slackware 13.0
Posts: 49

Rep: Reputation: 15
Is it safe to give apache permissions?


Firstly, let me apologize if this is in the wrong section, I did read the rules, and come to the conclusion this was the best place to post.

Basically, for a university project, we are requuired to create a hosting server that will allow users to sign up and acquire web space, ftp, email, etc.

Now I am only at the beginning of implementing this system, and to begin with was just wondering:-

"How many privileges can I give to apache before it becomes insecure?"

The main reason I ask is because I am looking at using PHP to do a lot of writing and deleting of text files, so that later a cron job can make use of the information written to the file.
 
Old 10-16-2009, 09:10 AM   #2
rizhun
Member
 
Registered: Jun 2005
Location: England
Distribution: Ubuntu, SLES, AIX
Posts: 268

Rep: Reputation: 47
Hi Karas,

Any internet-facing daemon is insecure by definition. All you can do is limit your liability by keeping your software at the latest stable release and not running any dangerous code!

Can you explain to us exactly what you mean by 'giving privileges'?

If you want to allow users to create accounts on your system via a web front-end you should make sure they only have access to a chroot jail'ed environment (Google).

If you didn't do this, someone could try and sign up for an account using the username 'root', your cron script might then change the root's password and allow the complete access to your server.

In a chroot'ed environment, the path '/some/safe/directory/chroot' appears to the end-user as '/'.
 
Old 10-16-2009, 10:17 AM   #3
Karas
Member
 
Registered: Oct 2009
Distribution: Slackware 13.0
Posts: 49

Original Poster
Rep: Reputation: 15
Thanks for the reply rizhun.

By 'giving privileges' I mean (so far) the ability for PHP to use fwrite within the file system, say for example a user signs up with their details, specifically username, password, first name and surname.

This is posted, and a simple function takes that information and writes it to a text file in the format of username:xpassword:fullname,number,etc,,,:home/directory/path/:::

(not sure if there is more to that)

Then later a cron job makes a user on the system using that information.

All I am worried about is a user possibly injecting stuff into that text file. Ofcourse there would be a more sophisticated script in place to determine duplicate usernames, but thats something I'll have to figure out later.

Last edited by Karas; 10-16-2009 at 10:18 AM.
 
Old 10-16-2009, 10:32 AM   #4
rizhun
Member
 
Registered: Jun 2005
Location: England
Distribution: Ubuntu, SLES, AIX
Posts: 268

Rep: Reputation: 47
PHP will already be able to write text files.

PHP code is executed by the server; Apache.
Apache should be configured to run as a non-root user. Sometimes this user is 'www' or 'wwwrun' or 'http' etc. depending on your distro. You can check what user Apache is running as by looking at the running Apache process:

Code:
$ ps -ef | grep -i http
The user running the server will be in the first column, let's say it's 'wwwrun'. You can see info about this user using 'id':

Code:
$ id wwwrun
uid=30(wwwrun) gid=8(www) groups=8(www)
This shows us that the user is 'wwwrun' and is in the group 'www'. You can use this information to create a 'safe' place for your text file to be written:
Code:
$ mkdir /some/path/to/a/dedicated/directory
$ chown wwwrun:www /some/path/to/a/dedicated/directory
$ chmod 750 /some/path/to/a/dedicated/directory
Now your PHP application can create files in '/some/path/to/a/dedicated/directory' and only the Apache user can read/write them.

If your cron/batch process needs to edit/read these files, create a new group 'mygroup' (or whatever) add your user to 'mygroup' and chgrp the /some/path/to/a/dedicated/directory to 'mygroup'.

Hope this helps!

 
Old 10-16-2009, 10:51 AM   #5
Karas
Member
 
Registered: Oct 2009
Distribution: Slackware 13.0
Posts: 49

Original Poster
Rep: Reputation: 15
I'll let you know when I've got Slackware installed on my system! lol!
 
Old 10-16-2009, 10:54 AM   #6
rizhun
Member
 
Registered: Jun 2005
Location: England
Distribution: Ubuntu, SLES, AIX
Posts: 268

Rep: Reputation: 47
No probs!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to give myself root permissions royeo Linux - Newbie 11 08-12-2006 04:01 AM
How to give permissions for users....... manikantha Linux - General 1 03-17-2005 05:27 AM
Not able to give execute permissions needanyhelp? Linux - General 4 08-20-2004 06:19 AM
How do I give mounting permissions? TheMusicGuy Linux - Security 4 04-20-2004 10:16 PM
Is there a simple way to give all permissions frontier1 Linux - General 3 02-28-2003 09:55 PM


All times are GMT -5. The time now is 05:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration