LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-02-2009, 01:17 AM   #1
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
Implications of making users members of 'apache' group


Currently I'm the developer, maintainer, admin etc on a LAMP server with a few websites on an intranet.

The responsibilities need to be split so we'll have a root user, a sysadmin user (can remotely login and su to root), a MySQLadmin user and one or more (maintenance) users for the websites.

The websites usually contain a subdirectory 'files' where apache needs to be able to write files.
I always run into the issue that I have to chmod the 'files' directory to apache which can not be done by the maintenance user as he/she is not a member of the apache group. Also restoring a backup (from a tarball) causes problems as the 'files' directory now belongs to the primary group of the maintenance user.

Therefore I have been thinking to make 'apache' the primary group of the maintenance users.

I however can not oversee the security implications. Is it advisable or is there a better way?

Can somebody please advice about these implications?

Code:
/home
  +-- website1
  |      +---- www (document root)
  |      |      +--- files (need to be writable by apache)
  |      +---- inc
  +-- website2
  |      +---- www
  |      |      +--- files
  |      +---- inc
Thanks in advance, WimS
 
Old 06-02-2009, 12:45 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,462
Blog Entries: 54

Rep: Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899
How about Sudo? Or ACL (http://acl.bestbits.at/)?

Last edited by unSpawn; 06-03-2009 at 02:16 AM. Reason: Fix URI tag
 
Old 06-03-2009, 01:51 AM   #3
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
I'm not sure how sudo can help in this case. Maybe somebody can explain that and give an example.

So I opted for ACLs. Here's the story (possibly as a reference for others):

After some reading of the man pages, the first attempt
Code:
setfacl -m u:apache:rwx files
This failed with a 'operation not permitted' message although the --test option did not give an error.

Read again and fixed it by changing the default mounting options of the file system
Code:
tune2fs -o acl /dev/cciss/c0d0p1
Try again, same message.

Think, think again and suspect that the mount option might only take affect at mount time so rebooted the system (an unmount / mount probably would have done the trick).

Ran the setfacl again
Code:
setfacl -m u:apache:rwx files
no errors
getfacl files
# file: files
# owner: wim
# group: wim
user::rwx
user:apache:rwx
group::r-x
mask::rwx
other::r-x
To test, I temporary allowed the apache user to login, su'd to apache and attempted to create a file in the files directory. And YES, it works.

Thanks unSpawn

PS
to make the post complete:
  • Slackware 12.0
  • ext3 filesystems (not every filesystem might support ACLs or one might need a different command to set the default mounting options)

Last edited by Wim Sturkenboom; 06-03-2009 at 01:59 AM. Reason: Added PS
 
Old 06-03-2009, 02:30 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,462
Blog Entries: 54

Rep: Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899
Sudo was only offered as a means to enable other roles to chown files where ACL isn't available. Good to see ACLs work for you and thanks for the elaborate response.
 
  


Reply

Tags
acl, apache, permissions, users


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
System Groups from Users and Groups measekite Linux - General 3 05-05-2009 09:22 PM
ubuntu question: cannot open System > Administration > Users and Groups numtre Ubuntu 3 03-27-2009 03:58 AM
Using members of AD groups to administer Linux kenwood Linux - Newbie 2 10-02-2008 11:33 AM
How to find out members of groups? essdeeay Linux - General 2 04-08-2006 01:56 PM
Groups members of other groups bentz Linux - Security 6 06-22-2003 11:23 PM


All times are GMT -5. The time now is 11:21 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration