I am trying to setup a linux web server but am a little confused about the permissions I should set for the folders associated with the web server.

Currently, I have my /var/www/html folder set to root access as well as my /cgi-bin/ folder. I read something about setting the /cgi-bin/ folder to user nobody. Can someone explain what permissions I should set these folders too, and what setting nobody does? Thanks/!

You should set the owner and group for these directories and files to the user and group for the web-server process. So, if your server starts the Apache httpd server process as user nobody, then your web files should have the same ownership. My Apache server is started by user "apache", so my files are owned by apache - not nobody and not root. I also implement SE-Linux to enhance security on my publicly accessible web server.

Set the individual file permissions to 755.

Which distro are you using?

I am using Fedora 8. Right now my apache server is running as root. Could you tell me how to start the Apache http server process as nobody?

Are you sure it is running as root? I'm fairly sure the default settings in F8 would have the apache user running Apache, not root. Check using "ps -ef | grep http" from the command line, and hopefully all processes will be owned by apache.

If not, then you need to explain to us how you start Apache and perhaps how you installed it.

Thanks for the feedback Blacky.

I started apache by issuing the command...
/sbin/service httpd start

You are right, the default user and group is Apache. I looked at my httpd.conf file and it is inded Apache as user/group. This is what the output looks like after I do a ps -ef | grep http.....

root 9393 1 0 09:25 ? 00:00:00 /usr/sbin/httpd
apache 9395 9393 0 09:25 ? 00:00:00 /usr/sbin/httpd
apache 9396 9393 0 09:25 ? 00:00:00 /usr/sbin/httpd
apache 9397 9393 0 09:25 ? 00:00:00 /usr/sbin/httpd
apache 9398 9393 0 09:25 ? 00:00:00 /usr/sbin/httpd
apache 9399 9393 0 09:25 ? 00:00:00 /usr/sbin/httpd
apache 9400 9393 0 09:25 ? 00:00:00 /usr/sbin/httpd
apache 9401 9393 0 09:25 ? 00:00:00 /usr/sbin/httpd
apache 9402 9393 0 09:25 ? 00:00:00 /usr/sbin/httpd
root 9404 9346 0 09:25 pts/1 00:00:00 grep http

But the thing that I don't understand is that all my directories in /var/www are all still root privelege. Should I change the permissions to user=Apache, Group=apache? Should those directories be Apache user/group by default??

So I guess I showed I'm a newbie in my last post. I figured my own question out. I should keep the permissions at root the same. The user apache will run as other user in this case.

My other question though, is that I am running a CGI script in /cgi-bin/script.cgi, and want to write to a crontab file in /home/jma/Documents/cron-tab. I can't seem to write to that file though. My permission for script.cgi is 755 and my permissions for cron-tab is 777. Can anyone tell me what I'm doing wrong. The cgi script(script.cgi) is just.....

#!/usr/bin/perl
use CGI;
print "Content-type: text/html\n\n";
open(OUT, ">>/home/jma/Documents/cron-tab");
print OUT "blah\n";

User 'apache' has certainly no permissions to write to location '/home/jma/Documents/cron-tab', unless user 'jma' belongs to group apache or has all it's files and directories set to be owned by apache.

It is also not clear what you expect from a crontab file written that way. Based on the filename maybe you expect it to provide some 'cron' action. I would suggest you read the man pages for cron.

Linux Archive

Ok, thanks I see. Can someone tell me where the apache home directory is? What is the signifigance of the nobody user/group??

I basically have a webpage that takes input from the user. I want to process the output of that html form and do a specific action with perl script. The perl script will take arguments from what the user specified in the html form and would run in cron. I can't seem to write any of the data to a .txt file much less cron file. I created a new user/group called Niners and created a .txt file in /home/Niners/niners.txt. I edited the /etc/httpd/conf/http.conf file to have User=Niners, Group=Niners. Restarted and started the server. Yet I still can't write to the txt file in the Niners home directory. Keep getting a permission denied error message. What am I doing wrong?

The Niners home dir needs to be in the apache group.
In many systems, the apache software runs as the user/group nobody, instead of apache/apache.
Its distro specific I believe.

I found out the problem. It seems like since I had set SELinux set to enabled. When I turned it to Permissive it seemed to work. Are there any security ramifications in doing this?

There certainly are. SELinux will protect your server if the httpd service is compromised by preventing the hacked httpd service from accessing anything that it would not normally have access to - like user's home directories. For example, it will prevent httpd from gaining root user status using buffer exploits.

Perhaps you could record your output in /var/log/httpd rather than /home? The apache process has access to this directory under the SELinux policy.

It is always easy to find reasons to turn SELinux off, which is what you've done by setting it to permissive mode (it is now only reporting the things it would have prevented). A better challenge for you is to learn to work within the security parameters imposed by SELinux

Hmm...I tried to write to /var/log/httpd with SELinux enabled yet I still get a permission denied message. Is there another folder that apache process has access to. I am using Fedora 8.

Sorry, I led you up the garden path with /var/log/httpd

What you need to do is find a directory that has a context of httpd_sys_content_t. The -Z option for the "ls" command shows SELinux context information about files and directories. For example:-The log directory is accessible only in the httpd logging context, which you aren't working in. Perhaps create a directory under /var/www that you can then write to from the httpd process.

Other useful SELinux commands are:-

• getsebool -a
  Used to show all SELinux boolean variables. Use commands like this to look for http and cgi boolean variables and their current values:-
  Code:

  getsebool -a | grep cgi
  getsebool -a | grep http

• setsebool -P
  Use this to set a boolean value. The -P is required if you want to make the change persistent across reboots.
• togglesebool
  Toggles a boolean value

Also, use the SELinux Trouble Shooter on your GUI desktop. Double click the Sheriff star at the top-right of your screen and you'll see the SELinux error log, and in most cases, suggestions about how to resolve the problems - e.g. booleans that could be changed to allow the blocked behaviour.

I finally got it to work with my home directory and SE Linux enabled. I had to change the context of my home directory...Like what Blacky said it seems that Se Linux will only allow Apache to run on directories that have the httpd context. I could have either found a directory that had that context or change the context of another directory to enable me to write to a file in that directory.

Here are the commands that I used.

chcon -r httpd_sys_content_t/home/jma(changes my home directory to have httpd context so that I can have an apache process can run in this directory)
chmod 775 /home/jma

Thanks for everyone's help. I understand Linux permissions much better then when I first started.