LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-07-2007, 05:44 AM   #1
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
[Adding users to apache group] Security risk ?


I'm setting up a LAMP server. The user's home directories will contain the websites.

The users need to be able to create (sub)directories that are writable by apache.

Trying to change the group of such a directory to apache by the owner of the directory results in a permission denied as the owner is not a member of the group apache.

The find command does not reveal too many files that are related to apache (either owner or group) so is there a security risk by adding the user(s) to the apache group?
 
Old 11-07-2007, 01:19 PM   #2
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
you should be able to have both apache and the user access the files at the same time.


the default linux file permissions are rwx rwx rwx 1st rwx = owner 2nd rwx = group 3rd rwx = other


so if the user was named jim


you could do
chown jim:apache directory
then
chmod 775 directory

that would give user jim rwx group apache rwx and everyone else r-x
 
Old 11-07-2007, 10:20 PM   #3
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
Thanks for the answer.

The default permissions are usually 755 (umask 022) so apache can only read. And if an user is not a member of a group (apache in this case), he can not change the group of a file to that group (see btmiller's reply in this thread.

I don't want to give a sysadmin a call each time I have to change the group of a file or directory. That's why I want to add the users to the apache group.

Last edited by Wim Sturkenboom; 11-07-2007 at 10:22 PM.
 
Old 11-08-2007, 12:39 AM   #4
complich8
Member
 
Registered: Oct 2007
Distribution: rhel, fedora, gentoo, ubuntu, freebsd
Posts: 104

Rep: Reputation: 15
I would make the directory world-writable (or writable to apache via acls, if you know anything about that one) and setgid the user (eg: chmod g+s directory). Then no changing groups is required (the files will be created owned by apache and group inherited from the directory). No adding users to the apache group is required, things are a little more sane, and the forward-facing fix is done in userspace.

Adding the user to the apache group is fairly safe, too.
 
Old 11-12-2007, 10:38 PM   #5
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
Hi complich8, thanks for the answer.

I don't know anything about acls, so that option is off the menu for now.
I don't consider making the directory world-writable an option as anybody can write the directory in that case (something I'm trying to prevent).

For now, I will add the user to the apache group.
 
  


Reply

Tags
apache, nobody


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
security> adding user or root to a group eeried Linux - Newbie 6 08-08-2008 06:10 AM
Creating groups and adding users to that group tehfatal Linux - Newbie 2 04-01-2007 01:42 AM
Adding users to a group shipon_97 Linux - Newbie 2 06-04-2006 12:40 PM
group creation + adding users without root permission rblampain Programming 5 05-12-2006 08:55 PM
Is users whom have access to `wall` command a security risk? jon_k Linux - Security 1 08-31-2004 08:31 PM


All times are GMT -5. The time now is 07:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration