LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   [Adding users to apache group] Security risk ? (https://www.linuxquestions.org/questions/linux-security-4/%5Badding-users-to-apache-group%5D-security-risk-597735/)

Wim Sturkenboom 11-07-2007 04:44 AM

[Adding users to apache group] Security risk ?
 
I'm setting up a LAMP server. The user's home directories will contain the websites.

The users need to be able to create (sub)directories that are writable by apache.

Trying to change the group of such a directory to apache by the owner of the directory results in a permission denied as the owner is not a member of the group apache.

The find command does not reveal too many files that are related to apache (either owner or group) so is there a security risk by adding the user(s) to the apache group?

slimm609 11-07-2007 12:19 PM

you should be able to have both apache and the user access the files at the same time.


the default linux file permissions are rwx rwx rwx 1st rwx = owner 2nd rwx = group 3rd rwx = other


so if the user was named jim


you could do
chown jim:apache directory
then
chmod 775 directory

that would give user jim rwx group apache rwx and everyone else r-x

Wim Sturkenboom 11-07-2007 09:20 PM

Thanks for the answer.

The default permissions are usually 755 (umask 022) so apache can only read. And if an user is not a member of a group (apache in this case), he can not change the group of a file to that group (see btmiller's reply in this thread.

I don't want to give a sysadmin a call each time I have to change the group of a file or directory. That's why I want to add the users to the apache group.

complich8 11-07-2007 11:39 PM

I would make the directory world-writable (or writable to apache via acls, if you know anything about that one) and setgid the user (eg: chmod g+s directory). Then no changing groups is required (the files will be created owned by apache and group inherited from the directory). No adding users to the apache group is required, things are a little more sane, and the forward-facing fix is done in userspace.

Adding the user to the apache group is fairly safe, too.

Wim Sturkenboom 11-12-2007 09:38 PM

Hi complich8, thanks for the answer.

I don't know anything about acls, so that option is off the menu for now.
I don't consider making the directory world-writable an option as anybody can write the directory in that case (something I'm trying to prevent).

For now, I will add the user to the apache group.


All times are GMT -5. The time now is 05:38 AM.