8:31 a.m.
I have an Apache web server with a few virtual hosts. The ftp is handled by
proftpd, and I have multiple users defined. These users have their own uid
and gid. The problem comes when Apache is uid apache and need to write to
the said directory.
I am wondering what other people have done to deal with this. Do people just
set all the ftp users uid/gid to the same as the Apache uid/gid on the
system? Obviously this would be an ok solution because apache uid/gid !=
root.
What are the other ways you guys have dealth with this?
Thanks
eric
12:58 p.m.
I'd set their gid to a common group, and leave the uid alone.
On Fri, 19 Nov 2004 06:31:21 -0800, Eric Wagar <eric(a)deadhookers.org> wrote:
I have an Apache web server with a few virtual hosts. The ftp is
handled by
proftpd, and I have multiple users defined. These users have their own uid
and gid. The problem comes when Apache is uid apache and need to write to
the said directory.
I am wondering what other people have done to deal with this. Do people just
set all the ftp users uid/gid to the same as the Apache uid/gid on the
system? Obviously this would be an ok solution because apache uid/gid !=
root.
What are the other ways you guys have dealth with this?
Thanks
eric
--
fedora-list mailing list
fedora-list(a)redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
1:32 p.m.
On Fri, 19 Nov 2004, Eric Wagar wrote:
I have an Apache web server with a few virtual hosts. The ftp is
handled by
proftpd, and I have multiple users defined. These users have their own uid
and gid. The problem comes when Apache is uid apache and need to write to
the said directory.
I am wondering what other people have done to deal with this. Do people just
set all the ftp users uid/gid to the same as the Apache uid/gid on the
system? Obviously this would be an ok solution because apache uid/gid !=
root.
What are the other ways you guys have dealth with this?
You can add apache to a group/the groups that own the directory in
question, you could change the group ownership of the directory to the
apache group, and make it group writable. Or you could create a group to
own the directory, and make all necessary users (including apache) members
of that group.
--
Mike Burger
http://www.bubbanfriends.org
Visit the Dog Pound II BBS
telnet://dogpound2.citadel.org or http://dogpound2.citadel.org
To be notified of updates to the web site, visit
http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a
message to:
site-update-request(a)bubbanfriends.org
with a message of:
subscribe
2:11 p.m.
Eric Wagar wrote:
I have an Apache web server with a few virtual hosts. The ftp is
handled by
proftpd, and I have multiple users defined. These users have their own uid
and gid. The problem comes when Apache is uid apache and need to write to
the said directory.
I am wondering what other people have done to deal with this. Do people just
set all the ftp users uid/gid to the same as the Apache uid/gid on the
system? Obviously this would be an ok solution because apache uid/gid !=
root.
What are the other ways you guys have dealth with this?
Thanks
eric
If I have a directory that I want multiple users to write to this is
what I do.
Create a group (any name will do)
# groupadd ftp_users
Edit the /etc/group file (there are tools to do this, but vi or emacs
are what I prefer)
Change the line (your gid will probably be different)
ftp_users:x:503:
to
ftp_users:x:503:apache,user1,user2,user3,user4
Create a shared directory
# mkdir /var/ftp/pub/shared
Make the directory group owned and writable by ftp_users
# chgrp ftp_users /var/ftp/pub/shared
Set the permissions to allow anyone in that group to write to that
directory. Also make the directory setgid. This is important as the
sticky bit as it is called will preserve permissions for all files and
subdirectories created in that directory.
# chmod g+w,g+s /var/ftp/pub/shared
The directory should look like this.
# ls -ld
drwxrwsr-x 2 root ftp_users 4096 Dec 16 12:12 /var/ftp/pub/shared
Now anyone who is in group ftp_users, including apache will be able to
write into that directory and people will be able to read and write the
files they create. The group members do have to trust each other, but no
one else outside the group. Also any files that are created will be
owned by the UID who created them, so you know who put them there in the
first place. There are of course other permission schemes that can
require more or less trust between group members, but this is usually
what I do for a shared directory amoung various users, or daemon UID.
Terrence
4 p.m.
On Fri, Nov 19, 2004 at 06:31:21AM -0800, Eric Wagar wrote:
...
I have an Apache web server with a few virtual hosts. The ftp is
handled by proftpd, and I have multiple users defined. These users
have their own uid and gid. The problem comes when Apache is uid
apache and need to write to the said directory.
....
What are the other ways you guys have dealth with this?
My first pass thought on this is that "apache" should
not be able to write to dirs that contain CGI anything.
If so your users can write scripts to bypass your proftp
access policy and audit trail.
When there is a need for a dir that apache can write to, OK. Just not
the same set of dirs that your proftpd users can write too. Give each
virtual host a tmp and var dir and admonish them to keep their
temporary files in their tmp area (see tmpwatch;
/etc/cron.daily/tmpwatch). The var dir should be for their data that
varies over time under control of apache processes.
This sort of separation can help the sysadmin with backups...
In a virtual host world different virtual host users can install
scripts that look at files other user virtual host user scripts futz
with. As long at they are not hostile to each other you should be OK.
Some rewrite rules could be used to simplify your user documents and
make all user environments look the same.
Read also about the 't' bit for dir permissions.
chmod -t:
When the sticky bit is set on a directory, files in that
directory may be unlinked or renamed only by root or their
owner. Without the sticky bit, anyone able to write to the
directory can delete or rename files. The sticky bit is
commonly found on directories, such as /tmp, that are
world-writable.
--
T o m M i t c h e l l
spam unwanted email.
SPAM, good eats, and a trademark of Hormel Foods.
4:09 p.m.
why does apache need to write to the vhost dirs?
Eric Wagar wrote:
I have an Apache web server with a few virtual hosts. The ftp is
handled by
proftpd, and I have multiple users defined. These users have their own uid
and gid. The problem comes when Apache is uid apache and need to write to
the said directory.
I am wondering what other people have done to deal with this. Do people just
set all the ftp users uid/gid to the same as the Apache uid/gid on the
system? Obviously this would be an ok solution because apache uid/gid !=
root.
What are the other ways you guys have dealth with this?
Thanks
eric
4:18 p.m.
Virtual hosting user may want to write to their directories, I think.
Recently I stumbled with making up a relatively secure Apache virtual
hosting installation. This is my solution to this moment:
1) users are Unix users at my server, they have FTP locked up in their
home directories (ProFTPd has this option)
2) Apache httpd service runs with apache uid/gid. apache is member of
each user's personal group, so the website is functioning
3) for scripts like PHP to write in user directories, I use suphp module
(www.suphp.org) that runs php scripts with their owner's rights. So even
if users know about other logins, they cannot just
fopen("/home/otheruser/index.php", "r") to read something, because
their
script doesn't have the right.
4) for CGI scripts (Perl and other stuff), one can use suexec (one of my
recent topics here), but I don't have CGI that write in directories, so
I don't care.
If anyone has a better solution, please write. I would be glad to know.
Timothy
Harry Hoffman wrote:
why does apache need to write to the vhost dirs?
Eric Wagar wrote:
> I have an Apache web server with a few virtual hosts. The ftp is
> handled by proftpd, and I have multiple users defined. These users
> have their own uid and gid. The problem comes when Apache is uid
> apache and need to write to the said directory.
>
> I am wondering what other people have done to deal with this. Do
> people just set all the ftp users uid/gid to the same as the Apache
> uid/gid on the system? Obviously this would be an ok solution
> because apache uid/gid != root.
>
> What are the other ways you guys have dealth with this?
>
> Thanks
> eric
>
4:23 p.m.
Eric,
What was the general consesus on your posting listed below?
I have the same question...
Thanks,
Roy
On Fri, 2004-11-19 at 06:31, Eric Wagar wrote:
I have an Apache web server with a few virtual hosts. The ftp is
handled by
proftpd, and I have multiple users defined. These users have their own uid
and gid. The problem comes when Apache is uid apache and need to write to
the said directory.
I am wondering what other people have done to deal with this. Do people just
set all the ftp users uid/gid to the same as the Apache uid/gid on the
system? Obviously this would be an ok solution because apache uid/gid !=
root.
What are the other ways you guys have dealth with this?
Thanks
eric
______________________________________________________________________
--
fedora-list mailing list
fedora-list(a)redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
--
Roy W. Erickson
Senior Systems Engineer
Pixel Magic Effects
10635 Riverside Dr
N. Hollywood, CA 91602
818.760.0862
erickson(a)pixelmagicfx.com
5:36 p.m.
Sorry, I am still stuck with point 3. suphp seems to work with PHP as
CGI (a problem which suexec also solves). But since my PHP is a module
(or filter in Apache2), suphp doesn't help. PHP scripts can't write in
the user's directories.
So, I need help with current topic, too :-)
Timothy.
Timothy Ha wrote:
Virtual hosting user may want to write to their directories, I
think.
Recently I stumbled with making up a relatively secure Apache virtual
hosting installation. This is my solution to this moment:
1) users are Unix users at my server, they have FTP locked up in their
home directories (ProFTPd has this option)
2) Apache httpd service runs with apache uid/gid. apache is member of
each user's personal group, so the website is functioning
3) for scripts like PHP to write in user directories, I use suphp
module (www.suphp.org) that runs php scripts with their owner's
rights. So even if users know about other logins, they cannot just
fopen("/home/otheruser/index.php", "r") to read something, because
their script doesn't have the right.
4) for CGI scripts (Perl and other stuff), one can use suexec (one of
my recent topics here), but I don't have CGI that write in
directories, so I don't care.
If anyone has a better solution, please write. I would be glad to know.
Timothy
7:45 p.m.
That wasn't the question asked. Allowing a daemon to write to *user*
files is asking for trouble!
It's not a good idea.
Virutal users should have their own dirs and apache should be able to
*read* NOT WRITE.
Should you need cgi access secure tmp dirs should be created and the
sticky bit should be put on the directory.
HTH,
Harry
Timothy Ha wrote:
Virtual hosting user may want to write to their directories, I
think.
8:36 p.m.
The general consensus was using system level groups. To me that's a great
idea. I just hate having to deal with the whining of my user.
The system is used only by two people, myself, and a friend (someone I trust.)
It uses pre-built php CMS such as Xoops, phpnuke, and postnuke. So, they
need write access to the directories for a short time. (Some of the scripts
are installed via a install.php file that is removed after its use.)
I am going to try the group idea and see how that goes with the whining user.
thanks!
eric
On Thursday 16 December 2004 02:23 pm, Roy W. Erickson wrote:
Eric,
What was the general consesus on your posting listed below?
I have the same question...
Thanks,
Roy
On Fri, 2004-11-19 at 06:31, Eric Wagar wrote:
> I have an Apache web server with a few virtual hosts. The ftp is handled
> by proftpd, and I have multiple users defined. These users have their
> own uid and gid. The problem comes when Apache is uid apache and need to
> write to the said directory.
>
> I am wondering what other people have done to deal with this. Do people
> just set all the ftp users uid/gid to the same as the Apache uid/gid on
> the system? Obviously this would be an ok solution because apache
> uid/gid != root.
>
> What are the other ways you guys have dealth with this?
>
> Thanks
> eric
8:53 p.m.
Am Fr, den 17.12.2004 schrieb Timothy Ha um 0:36:
Sorry, I am still stuck with point 3. suphp seems to work with PHP as
CGI (a problem which suexec also solves). But since my PHP is a module
(or filter in Apache2), suphp doesn't help. PHP scripts can't write in
the user's directories.
Timothy.
I don't know which problem you have with mod_suphp on Fedora, but it
does what you wanted it for in your previous mail.
Because of interest I compiled and installed it on one of my FC1 servers
and it runs nicely. I created a PHP test script - a counter - and set in
the vhost's configuration to run PHP scripts with my UID/GID. According
to the configuration I got in the /var/log/httpd/suphp_log:
[Fri Dec 17 03:26:13 2004] [info] Executing
/home/adalloz/www/domain.net/html/counter.php as user adalloz (500),
group adalloz (500)
The counter.php has to have chmod 750, while with "normal" PHP operation
(not by the CGI handler) read permissions would be sufficient.
Alexander
--
Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp
Serendipity 03:45:39 up 6 days, 22:26, load average: 0.34, 0.37, 0.39
7063
days inactive
7091
days old
11 comments
9 participants
participants (9)
-
Alexander Dalloz -
Eric Wagar -
Harry Hoffman -
Kevin Wang -
Mike Burger -
Roy Erickson -
Terrence Martin -
Timothy Ha -
Tom Mitchell