How can I grant Apache User Umount rights?

demia · 04-29-2009, 11:14 AM

Hi,

I want my apache user (www-data) to be able to umount drives that are mounted with fuse. (i think it is the same as regular umount, but i'm not sure)

when i execute: www-data@1:$ umount /2345
umount: /2345 is not in the fstab (and you are not root)

how can i get this done?

unSpawn · 04-30-2009, 06:23 AM

You could use a Sudo NOPASSWD line. Instead I'd route the command through a CGI or implement checks otherwise, else you might make the code capable of umounting more than you will find funny.

demia · 04-30-2009, 08:23 AM

Thanks unSpawn, can you explain a little more "route the command through a CGI or implement checks otherwise" ?

My take on the matter is this:

My main website has the root /home/main

all the other websites has the root /othersites/

and i restrict all other websites with virtual host command below.

<Directory /othersites>
php_admin_flag safe_mode On
AllowOverride None
</Directory>

So only main website can execute commands, no other. But please do tell me if i'm missing something because we will be online soon.

Cheers,

unSpawn · 04-30-2009, 08:58 AM

Quote:

Originally Posted by demia

can you explain a little more "route the command through a CGI or implement checks otherwise" ? (..) only main website can execute commands, no other.

Think about it this way: what is it exactly that keeps me, as unauthorized user from executing the command in the webserver and the application? What is it exactly that keeps me, as authorized user, from executing the command in the webserver and the application on any mounted partition?

In terms of restrictions and checks this should be a combination of only allowing certain IP addresses or maintenance ranges access to this part of the webserver, a separate account with a strong passhprase for only certain admin tasks, using HTTPS, narrowing the amount of mountpoints to be selected as umountable. Logging access to this part of the webserver and commands run would be beneficial for recordkeeping.

demia · 04-30-2009, 09:05 AM

I think, if i put phpSafeMode = on to all the folders that you have access as unauthorized user, you can run absolutely no command therefore, even i give reboot rights to apache user, it will not be able to do anything harmful.

Only my main website code which is running outside of that directory can execute those commands even though it is the same unix user.

This setup is the one that i find easiest, and hopefully i'm not missing anything.