LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-16-2007, 09:57 AM   #1
muskiediver
LQ Newbie
 
Registered: Mar 2006
Posts: 24

Rep: Reputation: 15
apache program writes files in the apache group, how can I change?


I am using Mambo 4.5.4. Mambo is writing files I upload via the Mambo interface to a group called Apache. This becomes a problem when you try to download a file and your ftp user is not in the same group. How can I resolve this permissions problem? What is the most secure and best practice?

All files uploaded to the website through ftp or the mambo 4.5.4 interface should all be under the same group. Do I need to alter code in mambo?

If so which ones and with what code? Your help is kindly appreciated.
 
Old 01-17-2007, 04:41 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
Most secure would be to use PHP as suexec which, instead of running PHP as Apache module (PHP as Apache process owner), runs PHP (and so anything PHP-based) as CGI (under your own username) which means you don't need / can't use overly broad perms like octal 0777. There are some small problems like you will need to move any php_flags from a .htaccess files to per-directory php.ini files IIRC but all in all it will give you a more secure setup and since every file uploaded will be owned by you access problems should no longer be a problem.

Doesn't mean transition to PHPsuexec is a no-brainer or won't break things. If you want to make sure you can survive the transition it would be best to set up a (local) copy of the server and research and document what you need to change to make the transition. That way the risk of fscking up your production host can be minimised and you can practice all you want.
 
Old 01-17-2007, 07:09 AM   #3
muskiediver
LQ Newbie
 
Registered: Mar 2006
Posts: 24

Original Poster
Rep: Reputation: 15
Thank you

Are you saying this will make Mambo more secure than it has ever been? If yes, that sounds great! Perhaps this is a different version of Mambo that can be offered. Have you tried this before? Would you be willing to work with someone on the mambo forum to get something like this going?

Your idea can resolve a lot of security problems with CMS if it works they way you mentioned. But for right now, it may be more than I am able to do. What would make this a burden for me is changing the mambo files whenever I update with a patch (which is often). Although I like your idea, it sounds very secure but it's time to implement during upgrade. Does anyone else have suggestions?
 
Old 01-17-2007, 08:17 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
The suexec method has been known for some time, is promoted, documented and discussed all over teh intarweb and is used by several hosting providers, it really is nothing new. Adding more strict security measures like this implies potential problems with some functionality and more maintenance. It's the usual trade-off. That's why I suggested using a testbed. Unless you have the knowledge and experience to determine that beforehand, saying it will be a burden w/o having tried and tested it seems somewhat premature to me. I suggest you read some (PHP)suexec docs first.

Last edited by unSpawn; 01-17-2007 at 08:19 AM.
 
Old 01-17-2007, 09:16 AM   #5
muskiediver
LQ Newbie
 
Registered: Mar 2006
Posts: 24

Original Poster
Rep: Reputation: 15
Thank you

I will post this discussion over at Joomla and Mambo's web sites in their security areas. I am not sure if any are aware of this. Perhaps this can help them make mambo more secure. Thank you very much.

P.S. I will read these documents as well that you suggested. I am not against the idea, I am looking at it from a perspective of ease since my day to day operations include all aspects of managing the web server (maintaining the server itself, updating content, marketing, db maintenance etc.). So I streamline areas. Your suggestion is something the security team at both CMS's should consider. If they already have, I would like to know what their opinions are on it. Like I said, overall it sounds like it's needed. But that is not my area of expertise.
 
Old 01-17-2007, 12:27 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
Actually you could read http://forum.joomla.org/index.php?board=322.0 and then search both Joomla and Mambo fora for "suexec" and see what it turns up. In the Mambo fora there's quite a few threads to read I see.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
problem with a user group and apache javier_ccs Linux - Software 7 07-28-2011 03:53 AM
how to change apache user and group gerilaradio Slackware 7 12-17-2005 10:10 PM
change ownership on files written by apache/php to maintain effective quotas untoldone Linux - Software 2 01-14-2005 07:18 PM
Apache Webserver 403 Forbidden Errors (User not in apache group?) Mankind75 Mandriva 4 07-08-2004 05:30 AM
apache benchmarks (apache v13 / apache v20) ; large differences between benchmarking markus1982 Linux - Software 0 02-08-2003 10:53 AM


All times are GMT -5. The time now is 01:29 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration