Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-16-2007, 09:57 AM
|
#1
|
LQ Newbie
Registered: Mar 2006
Posts: 24
Rep:
|
apache program writes files in the apache group, how can I change?
I am using Mambo 4.5.4. Mambo is writing files I upload via the Mambo interface to a group called Apache. This becomes a problem when you try to download a file and your ftp user is not in the same group. How can I resolve this permissions problem? What is the most secure and best practice?
All files uploaded to the website through ftp or the mambo 4.5.4 interface should all be under the same group. Do I need to alter code in mambo?
If so which ones and with what code? Your help is kindly appreciated.
|
|
|
01-17-2007, 04:41 AM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
Most secure would be to use PHP as suexec which, instead of running PHP as Apache module (PHP as Apache process owner), runs PHP (and so anything PHP-based) as CGI (under your own username) which means you don't need / can't use overly broad perms like octal 0777. There are some small problems like you will need to move any php_flags from a .htaccess files to per-directory php.ini files IIRC but all in all it will give you a more secure setup and since every file uploaded will be owned by you access problems should no longer be a problem.
Doesn't mean transition to PHPsuexec is a no-brainer or won't break things. If you want to make sure you can survive the transition it would be best to set up a (local) copy of the server and research and document what you need to change to make the transition. That way the risk of fscking up your production host can be minimised and you can practice all you want.
|
|
|
01-17-2007, 07:09 AM
|
#3
|
LQ Newbie
Registered: Mar 2006
Posts: 24
Original Poster
Rep:
|
Thank you
Are you saying this will make Mambo more secure than it has ever been? If yes, that sounds great! Perhaps this is a different version of Mambo that can be offered. Have you tried this before? Would you be willing to work with someone on the mambo forum to get something like this going?
Your idea can resolve a lot of security problems with CMS if it works they way you mentioned. But for right now, it may be more than I am able to do. What would make this a burden for me is changing the mambo files whenever I update with a patch (which is often). Although I like your idea, it sounds very secure but it's time to implement during upgrade. Does anyone else have suggestions?
|
|
|
01-17-2007, 08:17 AM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
The suexec method has been known for some time, is promoted, documented and discussed all over teh intarweb and is used by several hosting providers, it really is nothing new. Adding more strict security measures like this implies potential problems with some functionality and more maintenance. It's the usual trade-off. That's why I suggested using a testbed. Unless you have the knowledge and experience to determine that beforehand, saying it will be a burden w/o having tried and tested it seems somewhat premature to me. I suggest you read some (PHP)suexec docs first.
Last edited by unSpawn; 01-17-2007 at 08:19 AM.
|
|
|
01-17-2007, 09:16 AM
|
#5
|
LQ Newbie
Registered: Mar 2006
Posts: 24
Original Poster
Rep:
|
Thank you
I will post this discussion over at Joomla and Mambo's web sites in their security areas. I am not sure if any are aware of this. Perhaps this can help them make mambo more secure. Thank you very much.
P.S. I will read these documents as well that you suggested. I am not against the idea, I am looking at it from a perspective of ease since my day to day operations include all aspects of managing the web server (maintaining the server itself, updating content, marketing, db maintenance etc.). So I streamline areas. Your suggestion is something the security team at both CMS's should consider. If they already have, I would like to know what their opinions are on it. Like I said, overall it sounds like it's needed. But that is not my area of expertise.
|
|
|
01-17-2007, 12:27 PM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,415
|
Actually you could read http://forum.joomla.org/index.php?board=322.0 and then search both Joomla and Mambo fora for "suexec" and see what it turns up. In the Mambo fora there's quite a few threads to read I see.
|
|
|
All times are GMT -5. The time now is 02:16 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|