LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-12-2008, 04:40 PM   #1
niner710
Member
 
Registered: Apr 2008
Posts: 37

Rep: Reputation: 15
Permissions of web server folders(cgi-bin, var/www/html)


I am trying to setup a linux web server but am a little confused about the permissions I should set for the folders associated with the web server.

Currently, I have my /var/www/html folder set to root access as well as my /cgi-bin/ folder. I read something about setting the /cgi-bin/ folder to user nobody. Can someone explain what permissions I should set these folders too, and what setting nobody does? Thanks/!
 
Old 05-12-2008, 07:10 PM   #2
blacky_5251
Member
 
Registered: Oct 2004
Location: Adelaide Hills, South Australia
Distribution: RHEL 5&6 CentOS 5, 6 & 7
Posts: 572

Rep: Reputation: 56
You should set the owner and group for these directories and files to the user and group for the web-server process. So, if your server starts the Apache httpd server process as user nobody, then your web files should have the same ownership. My Apache server is started by user "apache", so my files are owned by apache - not nobody and not root. I also implement SE-Linux to enhance security on my publicly accessible web server.

Set the individual file permissions to 755.

Which distro are you using?
 
Old 05-13-2008, 01:28 AM   #3
niner710
Member
 
Registered: Apr 2008
Posts: 37

Original Poster
Rep: Reputation: 15
I am using Fedora 8. Right now my apache server is running as root. Could you tell me how to start the Apache http server process as nobody?
 
Old 05-13-2008, 01:32 AM   #4
blacky_5251
Member
 
Registered: Oct 2004
Location: Adelaide Hills, South Australia
Distribution: RHEL 5&6 CentOS 5, 6 & 7
Posts: 572

Rep: Reputation: 56
Are you sure it is running as root? I'm fairly sure the default settings in F8 would have the apache user running Apache, not root. Check using "ps -ef | grep http" from the command line, and hopefully all processes will be owned by apache.

If not, then you need to explain to us how you start Apache and perhaps how you installed it.

Last edited by blacky_5251; 05-13-2008 at 01:33 AM.
 
Old 05-13-2008, 12:41 PM   #5
niner710
Member
 
Registered: Apr 2008
Posts: 37

Original Poster
Rep: Reputation: 15
Thanks for the feedback Blacky.

I started apache by issuing the command...
/sbin/service httpd start

You are right, the default user and group is Apache. I looked at my httpd.conf file and it is inded Apache as user/group. This is what the output looks like after I do a ps -ef | grep http.....

root 9393 1 0 09:25 ? 00:00:00 /usr/sbin/httpd
apache 9395 9393 0 09:25 ? 00:00:00 /usr/sbin/httpd
apache 9396 9393 0 09:25 ? 00:00:00 /usr/sbin/httpd
apache 9397 9393 0 09:25 ? 00:00:00 /usr/sbin/httpd
apache 9398 9393 0 09:25 ? 00:00:00 /usr/sbin/httpd
apache 9399 9393 0 09:25 ? 00:00:00 /usr/sbin/httpd
apache 9400 9393 0 09:25 ? 00:00:00 /usr/sbin/httpd
apache 9401 9393 0 09:25 ? 00:00:00 /usr/sbin/httpd
apache 9402 9393 0 09:25 ? 00:00:00 /usr/sbin/httpd
root 9404 9346 0 09:25 pts/1 00:00:00 grep http

But the thing that I don't understand is that all my directories in /var/www are all still root privelege. Should I change the permissions to user=Apache, Group=apache? Should those directories be Apache user/group by default??
 
Old 05-13-2008, 02:51 PM   #6
niner710
Member
 
Registered: Apr 2008
Posts: 37

Original Poster
Rep: Reputation: 15
So I guess I showed I'm a newbie in my last post. I figured my own question out. I should keep the permissions at root the same. The user apache will run as other user in this case.

My other question though, is that I am running a CGI script in /cgi-bin/script.cgi, and want to write to a crontab file in /home/jma/Documents/cron-tab. I can't seem to write to that file though. My permission for script.cgi is 755 and my permissions for cron-tab is 777. Can anyone tell me what I'm doing wrong. The cgi script(script.cgi) is just.....

#!/usr/bin/perl
use CGI;
print "Content-type: text/html\n\n";
open(OUT, ">>/home/jma/Documents/cron-tab");
print OUT "blah\n";

Last edited by niner710; 05-13-2008 at 02:54 PM.
 
Old 05-13-2008, 06:35 PM   #7
seraphim172
Member
 
Registered: May 2008
Posts: 101

Rep: Reputation: 15
permission problem

User 'apache' has certainly no permissions to write to location '/home/jma/Documents/cron-tab', unless user 'jma' belongs to group apache or has all it's files and directories set to be owned by apache.

It is also not clear what you expect from a crontab file written that way. Based on the filename maybe you expect it to provide some 'cron' action. I would suggest you read the man pages for cron.

Linux Archive

Last edited by seraphim172; 06-25-2008 at 05:25 AM.
 
Old 05-13-2008, 07:04 PM   #8
niner710
Member
 
Registered: Apr 2008
Posts: 37

Original Poster
Rep: Reputation: 15
Ok, thanks I see. Can someone tell me where the apache home directory is? What is the signifigance of the nobody user/group??
 
Old 05-13-2008, 07:17 PM   #9
niner710
Member
 
Registered: Apr 2008
Posts: 37

Original Poster
Rep: Reputation: 15
I basically have a webpage that takes input from the user. I want to process the output of that html form and do a specific action with perl script. The perl script will take arguments from what the user specified in the html form and would run in cron. I can't seem to write any of the data to a .txt file much less cron file. I created a new user/group called Niners and created a .txt file in /home/Niners/niners.txt. I edited the /etc/httpd/conf/http.conf file to have User=Niners, Group=Niners. Restarted and started the server. Yet I still can't write to the txt file in the Niners home directory. Keep getting a permission denied error message. What am I doing wrong?
 
Old 05-13-2008, 07:25 PM   #10
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,240

Rep: Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324
The Niners home dir needs to be in the apache group.
In many systems, the apache software runs as the user/group nobody, instead of apache/apache.
Its distro specific I believe.
 
Old 05-13-2008, 09:48 PM   #11
niner710
Member
 
Registered: Apr 2008
Posts: 37

Original Poster
Rep: Reputation: 15
I found out the problem. It seems like since I had set SELinux set to enabled. When I turned it to Permissive it seemed to work. Are there any security ramifications in doing this?
 
Old 05-13-2008, 10:09 PM   #12
blacky_5251
Member
 
Registered: Oct 2004
Location: Adelaide Hills, South Australia
Distribution: RHEL 5&6 CentOS 5, 6 & 7
Posts: 572

Rep: Reputation: 56
There certainly are. SELinux will protect your server if the httpd service is compromised by preventing the hacked httpd service from accessing anything that it would not normally have access to - like user's home directories. For example, it will prevent httpd from gaining root user status using buffer exploits.

Perhaps you could record your output in /var/log/httpd rather than /home? The apache process has access to this directory under the SELinux policy.

It is always easy to find reasons to turn SELinux off, which is what you've done by setting it to permissive mode (it is now only reporting the things it would have prevented). A better challenge for you is to learn to work within the security parameters imposed by SELinux

Last edited by blacky_5251; 05-13-2008 at 10:10 PM.
 
Old 05-14-2008, 12:07 AM   #13
niner710
Member
 
Registered: Apr 2008
Posts: 37

Original Poster
Rep: Reputation: 15
Hmm...I tried to write to /var/log/httpd with SELinux enabled yet I still get a permission denied message. Is there another folder that apache process has access to. I am using Fedora 8.
 
Old 05-14-2008, 12:13 AM   #14
blacky_5251
Member
 
Registered: Oct 2004
Location: Adelaide Hills, South Australia
Distribution: RHEL 5&6 CentOS 5, 6 & 7
Posts: 572

Rep: Reputation: 56
Sorry, I led you up the garden path with /var/log/httpd

What you need to do is find a directory that has a context of httpd_sys_content_t. The -Z option for the "ls" command shows SELinux context information about files and directories. For example:-
Code:
# ls -ldZ /var/www /var/log/httpd
drwx------  root root system_u:object_r:httpd_log_t    /var/log/httpd
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t /var/www
#
The log directory is accessible only in the httpd logging context, which you aren't working in. Perhaps create a directory under /var/www that you can then write to from the httpd process.

Other useful SELinux commands are:-
  • getsebool -a
    Used to show all SELinux boolean variables. Use commands like this to look for http and cgi boolean variables and their current values:-
    Code:
    getsebool -a | grep cgi
    getsebool -a | grep http
  • setsebool -P
    Use this to set a boolean value. The -P is required if you want to make the change persistent across reboots.
  • togglesebool
    Toggles a boolean value
Also, use the SELinux Trouble Shooter on your GUI desktop. Double click the Sheriff star at the top-right of your screen and you'll see the SELinux error log, and in most cases, suggestions about how to resolve the problems - e.g. booleans that could be changed to allow the blocked behaviour.

Last edited by blacky_5251; 05-14-2008 at 12:19 AM.
 
Old 05-14-2008, 11:54 AM   #15
niner710
Member
 
Registered: Apr 2008
Posts: 37

Original Poster
Rep: Reputation: 15
I finally got it to work with my home directory and SE Linux enabled. I had to change the context of my home directory...Like what Blacky said it seems that Se Linux will only allow Apache to run on directories that have the httpd context. I could have either found a directory that had that context or change the context of another directory to enable me to write to a file in that directory.

Here are the commands that I used.

chcon -r httpd_sys_content_t/home/jma(changes my home directory to have httpd context so that I can have an apache process can run in this directory)
chmod 775 /home/jma

Thanks for everyone's help. I understand Linux permissions much better then when I first started.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
strange permissions in /var/www/html, '+' sign ericvlach Linux - Security 6 10-11-2007 10:23 AM
apache server setup and how to place files in the var/www/html directory dramous Linux - Newbie 7 09-28-2004 05:18 AM
apache server setup and how to place files in the var/www/html directory dramous Linux - Software 3 09-25-2004 03:38 AM
apache server setup and how to place files in the var/www/html directory dramous Linux - General 2 09-25-2004 02:29 AM
user/group permissions for /var/www/html/ illtbagu Linux - Software 6 11-12-2003 06:29 AM


All times are GMT -5. The time now is 10:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration