LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-07-2007, 04:44 AM   #1
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Ubuntu 12.04, Antix19.3
Posts: 3,794

Rep: Reputation: 282Reputation: 282Reputation: 282
[Adding users to apache group] Security risk ?


I'm setting up a LAMP server. The user's home directories will contain the websites.

The users need to be able to create (sub)directories that are writable by apache.

Trying to change the group of such a directory to apache by the owner of the directory results in a permission denied as the owner is not a member of the group apache.

The find command does not reveal too many files that are related to apache (either owner or group) so is there a security risk by adding the user(s) to the apache group?
 
Old 11-07-2007, 12:19 PM   #2
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
you should be able to have both apache and the user access the files at the same time.


the default linux file permissions are rwx rwx rwx 1st rwx = owner 2nd rwx = group 3rd rwx = other


so if the user was named jim


you could do
chown jim:apache directory
then
chmod 775 directory

that would give user jim rwx group apache rwx and everyone else r-x
 
Old 11-07-2007, 09:20 PM   #3
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Ubuntu 12.04, Antix19.3
Posts: 3,794

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
Thanks for the answer.

The default permissions are usually 755 (umask 022) so apache can only read. And if an user is not a member of a group (apache in this case), he can not change the group of a file to that group (see btmiller's reply in this thread.

I don't want to give a sysadmin a call each time I have to change the group of a file or directory. That's why I want to add the users to the apache group.

Last edited by Wim Sturkenboom; 11-07-2007 at 09:22 PM.
 
Old 11-07-2007, 11:39 PM   #4
complich8
Member
 
Registered: Oct 2007
Distribution: rhel, fedora, gentoo, ubuntu, freebsd
Posts: 104

Rep: Reputation: 17
I would make the directory world-writable (or writable to apache via acls, if you know anything about that one) and setgid the user (eg: chmod g+s directory). Then no changing groups is required (the files will be created owned by apache and group inherited from the directory). No adding users to the apache group is required, things are a little more sane, and the forward-facing fix is done in userspace.

Adding the user to the apache group is fairly safe, too.
 
Old 11-12-2007, 09:38 PM   #5
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Ubuntu 12.04, Antix19.3
Posts: 3,794

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
Hi complich8, thanks for the answer.

I don't know anything about acls, so that option is off the menu for now.
I don't consider making the directory world-writable an option as anybody can write the directory in that case (something I'm trying to prevent).

For now, I will add the user to the apache group.
 
  


Reply

Tags
apache, nobody


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
security> adding user or root to a group eeried Linux - Newbie 6 08-08-2008 05:10 AM
Creating groups and adding users to that group tehfatal Linux - Newbie 2 04-01-2007 12:42 AM
Adding users to a group shipon_97 Linux - Newbie 2 06-04-2006 11:40 AM
group creation + adding users without root permission rblampain Programming 5 05-12-2006 07:55 PM
Is users whom have access to `wall` command a security risk? jon_k Linux - Security 1 08-31-2004 07:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration