Hi,
How do I configure apache to allow PHP scripts write access to a document root without compromising security?
I have a fedora29 system with php-7.2.13 and trying to get joomla installed properly and having some trouble. I'm an experienced Linux admin, but I'm not very familiar with php applications and how to manage permissions of them. I don't entirely understand the relationship between php, apache, and mod_fcgi. I fully understand how filesystem permissions and ownership works.
I have all files at 644 and all directories at 755 in the document root, owned by my ftpuser account. selinux is disabled because this server does so much other stuff.
The problem is that joomla fails to run properly because the document root isn't entirely owned by the apache user. What is the best method for managing permissions with apache so we don't have to have all files owned by the user which is running the apache process?
I'm also confused on the relationship between mod_fcgid, fpm-fcgi and suexec. I've configured php-fpm and mod_fcgid according to this doc (and others): https://wiki.archlinux.org/index.php/Apache_HTTP_Server#Using_php-fpm_and_mo...
I've also set SuexecUserGroup to the user I'd like to use for ftp/sftp access:
SuexecUserGroup ftpuser ftpuser
but I don't understand how that ties in with the filesystem and allowing apache to write the joomla files it needs, like the cache directory and perform extension updates, while also allowing access to the ftpuser to read and write the same files.
I believe I want to use mod_fcgi instead of loading PHP into apache directly with mod_php. Do I need to create a wrapper script, or is one already included with fedora?
It appears fedora is already loading php7_module with the php package. Do I need to disable that prior to using mod_fcgid?
Allegedly, on or about 12 January 2019, Alex sent:
How do I configure apache to allow PHP scripts write access to a document root without compromising security?
Files/directories have three permissions, the owner, the group, and other users. Files should *not* be owned by Apache, nor writeable by it, allowing Apache to write to them is a major security failure. Apache reads and serves files using the other user permissions.
What *actually* will write to your files? Is it an Apache process, or your script. Or, probably even better, having them owned an actual user that logs in, even if through your scripting system (e.g. when I edit files using VIM, they're owned be me, not the VIM program). Hopefully it is not Apache, itself. They should be owned, or part- owned (remember there's user and group permissions) by the user or process that will actually update them.
Disabling SELinux is usually a "throwing the baby out with the bathwater" solution to a problem.
Hi,
Allegedly, on or about 12 January 2019, Alex sent:
How do I configure apache to allow PHP scripts write access to a document root without compromising security?
Files/directories have three permissions, the owner, the group, and other users. Files should *not* be owned by Apache, nor writeable by it, allowing Apache to write to them is a major security failure. Apache reads and serves files using the other user permissions.
Yes, that is my understanding as well. It's the apache configuration part I don't understand.
What *actually* will write to your files? Is it an Apache process, or your script. Or, probably even better, having them owned an actual user that logs in, even if through your scripting system (e.g. when I edit files using VIM, they're owned be me, not the VIM program).
It's joomla PHP scripts running through apache, and remote sftp users running as the user logging in. Changing the files to be owned by apache allows the joomla scripts to write (just to show joomla is still running under apache), but then it prevents any other user from being able to modify any of the same files.
Of course I know I could add apache to the same group as the sftp user and chmod the files to group-writable, but the joomla recommendations are to have all the files 644 and directories 755. It complains (and some parts of it won't run) when permissions are other than 644 on files.
Hopefully it is not Apache, itself. They should be owned, or part- owned (remember there's user and group permissions) by the user or process that will actually update them.
Back when I did this for apache-2.0, or perhaps even 1.3, we would set the directories sgid and use an sgid binary that would write the files.
It appears that today the php-fpm or mod_fcgid modules does something similar by first sending the files through a proxy or external script to actually do the writing. I just don't understand how that all goes together, and there is no current fedora document that shows how to do it.
Disabling SELinux is usually a "throwing the baby out with the bathwater" solution to a problem.
Yes, perhaps, and I'd be all for configuring SELinux, but it's a nightmare to configure and maintain with a large system. I'm open to ideas. It does look like there is support for it with fedora, however:
# ls -lZ /usr/sbin/suexec -r-x--x---. 1 root apache system_u:object_r:httpd_suexec_exec_t:s0 15816 Jul 20 06:30 /usr/sbin/suexec
Also back when I did this like a decade ago (or longer?), spawning a new process for every write was avoided because of the overhead.
Tim:
What *actually* will write to your files? Is it an Apache process, or your script. Or, probably even better, having them owned an actual user that logs in, even if through your scripting system (e.g. when I edit files using VIM, they're owned be me, not the VIM program).
Alex:
It's joomla PHP scripts running through apache, and remote sftp users running as the user logging in. Changing the files to be owned by apache allows the joomla scripts to write (just to show joomla is still running under apache), but then it prevents any other user from being able to modify any of the same files.
Of course I know I could add apache to the same group as the sftp user and chmod the files to group-writable, but the joomla recommendations are to have all the files 644 and directories 755. It complains (and some parts of it won't run) when permissions are other than 644 on files.
Perhaps the question is more about *who* should own the files, rather than the permissions.
e.g. https://www.google.com/search?q=what+user+should+own+joomla+files
https://joomla.stackexchange.com/questions/132/recommended-practices-regardi...
https://forum.joomla.org/viewtopic.php?t=121470
https://forum.joomla.org/viewtopic.php?t=891689
https://docs.joomla.org/Security_Checklist/Hosting_and_Server_Setup#File_per...
I don't use Joomla, nor do I know what you're going to do with it, so I'm only approaching this on what I know about webserving directly with Apache.
Looking at some of the results, I don't see useful answers to who should own them. I do see comments about the default PHP handlers, etc., not being the best choice, and you could have to change web hosting providers to do the job properly. (I've still got to change mine, I deliberately picked one using Apache, then they got bought out and changed to LightSpeed, which is only partially compatible, and fails some of my needs, at some rather basic Apache features.)
I saw one hint that you might have to loosen permissions to set things up, then restrict them once the installation had finished. It all sounds badly cobbled together, to me.
It appears that today the php-fpm or mod_fcgid modules does something similar by first sending the files through a proxy or external script to actually do the writing.
That's not too surprising. They could filter traffic, and only allow what should be allowed, and keep the writable files in a different area. If you make any file writeable by Apache, and that file can somehow be addressed through Apache, you're going to get hacked.
-
Alex -
Tim