LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-22-2007, 09:14 AM   #1
deadeyes
Member
 
Registered: Aug 2006
Posts: 609

Rep: Reputation: 79
apache2 group/owner DocumentRoot security


Hi all,

I have a question about permissions and owners.
I have installed apache2. This uses www-data as user and group. I chgrp and chown /var/www changing from user and group "root" to user and group "www-data".
And I chmod-ed to 755 permissions on /var/www
Now I doubt if this is secure or not...

I thought if someone can get out of apache with an exploit, he could change/delete/... files. But normally it is root, which should be even more dangerous :s so now I'm a little confused.

I'm waiting for what the experts have to say about this

Greetings
 
Old 02-23-2007, 07:33 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by deadeyes
I have a question about permissions and owners.
I have installed apache2. This uses www-data as user and group. I chgrp and chown /var/www changing from user and group "root" to user and group "www-data".
And I chmod-ed to 755 permissions on /var/www
Now I doubt if this is secure or not...
of course security depends on many more factors, but yes, you're okay as far as DocumentRoot permissions...

Quote:
I thought if someone can get out of apache with an exploit, he could change/delete/... files.
an apache remote exploit will typically result in the attacker being able to execute code as the user apache is running as (www-data in your case)... this limits what they would be able to do to your system if compromised... for the attacker to gain higher privilages (such as root), he will need to proceed with a local exploit - which he may or may not have...

one way people deal with this kind of concern you have is by running apache in a chroot jail... there's lots of info about this on the web: http://www.google.com/linux?hl=en&q=apache+chroot

many administrators even take chroot a step further by using hardening tools such as those available from: http://www.grsecurity.net/

and if you're running web applications, make sure you look at: http://www.modsecurity.org/

Quote:
But normally it is root, which should be even more dangerous :s so now I'm a little confused.
apache is started as root, but it switches to the non-root user right away... you can check with a "ps aux" that only the apache parent process is being run by root, while all the children are run as the non-root user...

here's some apache2 security tips: http://httpd.apache.org/docs/2.0/mis...rity_tips.html

Last edited by win32sux; 02-23-2007 at 09:21 PM.
 
Old 02-24-2007, 04:59 AM   #3
deadeyes
Member
 
Registered: Aug 2006
Posts: 609

Original Poster
Rep: Reputation: 79
Quote:
Originally Posted by win32sux
of course security depends on many more factors, but yes, you're okay as far as DocumentRoot permissions...

an apache remote exploit will typically result in the attacker being able to execute code as the user apache is running as (www-data in your case)... this limits what they would be able to do to your system if compromised... for the attacker to gain higher privilages (such as root), he will need to proceed with a local exploit - which he may or may not have...

one way people deal with this kind of concern you have is by running apache in a chroot jail... there's lots of info about this on the web: http://www.google.com/linux?hl=en&q=apache+chroot

many administrators even take chroot a step further by using hardening tools such as those available from: http://www.grsecurity.net/

and if you're running web applications, make sure you look at: http://www.modsecurity.org/

apache is started as root, but it switches to the non-root user right away... you can check with a "ps aux" that only the apache parent process is being run by root, while all the children are run as the non-root user...

here's some apache2 security tips: http://httpd.apache.org/docs/2.0/mis...rity_tips.html
thank you for your response... I will take a look at those links.

EDIT:
I'm still a little confused. What I want to do is having 2 people who are able to copy files from there homedirectory to the DocumentRoot and folders beyond, they maintain the website. I chowned en chgrped the DocumentRoot and added them to the www-data group.
But now, I have to put 775 permissions. Otherwhise those 2 accounts (who I added to www-data group) can't change the files. But someone who can get out of apache (with an exploit) can then remove all files in the DocumentRoot.

How can I fix this? And is it better to keep the user and group "root"?
How can I achieve what I want to do as explained above?

Greetings!

Last edited by deadeyes; 02-24-2007 at 07:20 AM.
 
Old 02-24-2007, 07:05 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by deadeyes
What I want to do is having 2 people who are able to copy files from there homedirectory to the DocumentRoot and folders beyond, they maintain the website. I chowned en chgrped the DocumentRoot and added them to the www-data group.
But now, I have to put 775 permissions. Otherwhise those 2 accounts (who I added to www-data group) can't change the files. But someone who can get out of apache (with an exploit) can then remove all files in the DocumentRoot.

How can I fix this?
one way would be with a cron job that creates backups of the files every so often... hence:

1 --> apache is cracked, files in DocumentRoot are deleted...

2 --> logs are inspected; method of entry is determined; system is re-installed and hardened; backups are restored to the way they were prior to the crack...

3 --> life goes-on...

Quote:
And is it better to keep the user and group "root"?
well, having your DocumentRoot with root:root perms would guard the files if apache is exploited and no privilage-escalation is achieved by the cracker... but AFAICT it would cause more serious issues regarding the permissions your 2 users would then need... my suggestion is to leave things with www-data and go the way of the periodic backups... of course, my apache experience is limited, so you might wanna wait for someone else's opinion on this too...

Last edited by win32sux; 02-24-2007 at 07:06 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
APACHE2 DocumentRoot does not exist for Vhost Wonderm00n Linux - Software 2 04-09-2010 09:33 PM
Changing owner and group of file surfbass Linux - General 2 12-12-2005 02:25 PM
group owner etc MI3GTO Mandriva 3 02-27-2005 08:26 PM
Apache DocumentRoot and Admin Group permissions Niels@debian Linux - Software 0 10-27-2004 12:34 AM
Group as owner instead of a user dtournas Linux - General 1 09-11-2003 10:13 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:03 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration