LinuxQuestions.org - Is it safe to give apache permissions?

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - Is it safe to give apache permissions? (https://www.linuxquestions.org/questions/linux-newbie-8/is-it-safe-to-give-apache-permissions-762360/)

Is it safe to give apache permissions?

Firstly, let me apologize if this is in the wrong section, I did read the rules, and come to the conclusion this was the best place to post.

Basically, for a university project, we are requuired to create a hosting server that will allow users to sign up and acquire web space, ftp, email, etc.

Now I am only at the beginning of implementing this system, and to begin with was just wondering:-

"How many privileges can I give to apache before it becomes insecure?"

The main reason I ask is because I am looking at using PHP to do a lot of writing and deleting of text files, so that later a cron job can make use of the information written to the file.

Hi Karas,

Any internet-facing daemon is insecure by definition. All you can do is limit your liability by keeping your software at the latest stable release and not running any dangerous code!

Can you explain to us exactly what you mean by 'giving privileges'?

If you want to allow users to create accounts on your system via a web front-end you should make sure they only have access to a chroot jail'ed environment (Google).

If you didn't do this, someone could try and sign up for an account using the username 'root', your cron script might then change the root's password and allow the complete access to your server.

In a chroot'ed environment, the path '/some/safe/directory/chroot' appears to the end-user as '/'.

Thanks for the reply rizhun.

By 'giving privileges' I mean (so far) the ability for PHP to use fwrite within the file system, say for example a user signs up with their details, specifically username, password, first name and surname.

This is posted, and a simple function takes that information and writes it to a text file in the format of username:xpassword:fullname,number,etc,,,:home/directory/path/:::

(not sure if there is more to that)

Then later a cron job makes a user on the system using that information.

All I am worried about is a user possibly injecting stuff into that text file. Ofcourse there would be a more sophisticated script in place to determine duplicate usernames, but thats something I'll have to figure out later.

PHP will already be able to write text files.

PHP code is executed by the server; Apache.
Apache should be configured to run as a non-root user. Sometimes this user is 'www' or 'wwwrun' or 'http' etc. depending on your distro. You can check what user Apache is running as by looking at the running Apache process:

Code:

$ ps -ef | grep -i http

The user running the server will be in the first column, let's say it's 'wwwrun'. You can see info about this user using 'id':

Code:

$ id wwwrun

uid=30(wwwrun) gid=8(www) groups=8(www)

This shows us that the user is 'wwwrun' and is in the group 'www'. You can use this information to create a 'safe' place for your text file to be written:

Code:

$ mkdir /some/path/to/a/dedicated/directory

$ chown wwwrun:www /some/path/to/a/dedicated/directory

$ chmod 750 /some/path/to/a/dedicated/directory

Now your PHP application can create files in '/some/path/to/a/dedicated/directory' and only the Apache user can read/write them.

If your cron/batch process needs to edit/read these files, create a new group 'mygroup' (or whatever) add your user to 'mygroup' and chgrp the /some/path/to/a/dedicated/directory to 'mygroup'.

Hope this helps!

:)

I'll let you know when I've got Slackware installed on my system! lol!