Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-22-2007, 09:14 AM
|
#1
|
Member
Registered: Aug 2006
Posts: 609
Rep:
|
apache2 group/owner DocumentRoot security
Hi all,
I have a question about permissions and owners.
I have installed apache2. This uses www-data as user and group. I chgrp and chown /var/www changing from user and group "root" to user and group "www-data".
And I chmod-ed to 755 permissions on /var/www
Now I doubt if this is secure or not...
I thought if someone can get out of apache with an exploit, he could change/delete/... files. But normally it is root, which should be even more dangerous :s so now I'm a little confused.
I'm waiting for what the experts have to say about this
Greetings
|
|
|
02-23-2007, 07:33 PM
|
#2
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by deadeyes
I have a question about permissions and owners.
I have installed apache2. This uses www-data as user and group. I chgrp and chown /var/www changing from user and group "root" to user and group "www-data".
And I chmod-ed to 755 permissions on /var/www
Now I doubt if this is secure or not...
|
of course security depends on many more factors, but yes, you're okay as far as DocumentRoot permissions...
Quote:
I thought if someone can get out of apache with an exploit, he could change/delete/... files.
|
an apache remote exploit will typically result in the attacker being able to execute code as the user apache is running as (www-data in your case)... this limits what they would be able to do to your system if compromised... for the attacker to gain higher privilages (such as root), he will need to proceed with a local exploit - which he may or may not have...
one way people deal with this kind of concern you have is by running apache in a chroot jail... there's lots of info about this on the web: http://www.google.com/linux?hl=en&q=apache+chroot
many administrators even take chroot a step further by using hardening tools such as those available from: http://www.grsecurity.net/
and if you're running web applications, make sure you look at: http://www.modsecurity.org/
Quote:
But normally it is root, which should be even more dangerous :s so now I'm a little confused.
|
apache is started as root, but it switches to the non-root user right away... you can check with a "ps aux" that only the apache parent process is being run by root, while all the children are run as the non-root user...
here's some apache2 security tips: http://httpd.apache.org/docs/2.0/mis...rity_tips.html
Last edited by win32sux; 02-23-2007 at 09:21 PM.
|
|
|
02-24-2007, 04:59 AM
|
#3
|
Member
Registered: Aug 2006
Posts: 609
Original Poster
Rep:
|
Quote:
Originally Posted by win32sux
of course security depends on many more factors, but yes, you're okay as far as DocumentRoot permissions...
an apache remote exploit will typically result in the attacker being able to execute code as the user apache is running as (www-data in your case)... this limits what they would be able to do to your system if compromised... for the attacker to gain higher privilages (such as root), he will need to proceed with a local exploit - which he may or may not have...
one way people deal with this kind of concern you have is by running apache in a chroot jail... there's lots of info about this on the web: http://www.google.com/linux?hl=en&q=apache+chroot
many administrators even take chroot a step further by using hardening tools such as those available from: http://www.grsecurity.net/
and if you're running web applications, make sure you look at: http://www.modsecurity.org/
apache is started as root, but it switches to the non-root user right away... you can check with a "ps aux" that only the apache parent process is being run by root, while all the children are run as the non-root user...
here's some apache2 security tips: http://httpd.apache.org/docs/2.0/mis...rity_tips.html
|
thank you for your response... I will take a look at those links.
EDIT:
I'm still a little confused. What I want to do is having 2 people who are able to copy files from there homedirectory to the DocumentRoot and folders beyond, they maintain the website. I chowned en chgrped the DocumentRoot and added them to the www-data group.
But now, I have to put 775 permissions. Otherwhise those 2 accounts (who I added to www-data group) can't change the files. But someone who can get out of apache (with an exploit) can then remove all files in the DocumentRoot.
How can I fix this? And is it better to keep the user and group "root"?
How can I achieve what I want to do as explained above?
Greetings!
Last edited by deadeyes; 02-24-2007 at 07:20 AM.
|
|
|
02-24-2007, 07:05 PM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by deadeyes
What I want to do is having 2 people who are able to copy files from there homedirectory to the DocumentRoot and folders beyond, they maintain the website. I chowned en chgrped the DocumentRoot and added them to the www-data group.
But now, I have to put 775 permissions. Otherwhise those 2 accounts (who I added to www-data group) can't change the files. But someone who can get out of apache (with an exploit) can then remove all files in the DocumentRoot.
How can I fix this?
|
one way would be with a cron job that creates backups of the files every so often... hence:
1 --> apache is cracked, files in DocumentRoot are deleted...
2 --> logs are inspected; method of entry is determined; system is re-installed and hardened; backups are restored to the way they were prior to the crack...
3 --> life goes-on...
Quote:
And is it better to keep the user and group "root"?
|
well, having your DocumentRoot with root:root perms would guard the files if apache is exploited and no privilage-escalation is achieved by the cracker... but AFAICT it would cause more serious issues regarding the permissions your 2 users would then need... my suggestion is to leave things with www-data and go the way of the periodic backups... of course, my apache experience is limited, so you might wanna wait for someone else's opinion on this too...
Last edited by win32sux; 02-24-2007 at 07:06 PM.
|
|
|
All times are GMT -5. The time now is 05:03 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|