I have an Apache web server with a few virtual hosts. The ftp is handled by proftpd, and I have multiple users defined. These users have their own uid and gid. The problem comes when Apache is uid apache and need to write to the said directory.
I am wondering what other people have done to deal with this. Do people just set all the ftp users uid/gid to the same as the Apache uid/gid on the system? Obviously this would be an ok solution because apache uid/gid != root.
What are the other ways you guys have dealth with this?
Thanks eric
I'd set their gid to a common group, and leave the uid alone.
On Fri, 19 Nov 2004 06:31:21 -0800, Eric Wagar eric@deadhookers.org wrote:
I have an Apache web server with a few virtual hosts. The ftp is handled by proftpd, and I have multiple users defined. These users have their own uid and gid. The problem comes when Apache is uid apache and need to write to the said directory.
I am wondering what other people have done to deal with this. Do people just set all the ftp users uid/gid to the same as the Apache uid/gid on the system? Obviously this would be an ok solution because apache uid/gid != root.
What are the other ways you guys have dealth with this?
Thanks eric
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
On Fri, 19 Nov 2004, Eric Wagar wrote:
I have an Apache web server with a few virtual hosts. The ftp is handled by proftpd, and I have multiple users defined. These users have their own uid and gid. The problem comes when Apache is uid apache and need to write to the said directory.
I am wondering what other people have done to deal with this. Do people just set all the ftp users uid/gid to the same as the Apache uid/gid on the system? Obviously this would be an ok solution because apache uid/gid != root.
What are the other ways you guys have dealth with this?
You can add apache to a group/the groups that own the directory in question, you could change the group ownership of the directory to the apache group, and make it group writable. Or you could create a group to own the directory, and make all necessary users (including apache) members of that group.
Eric Wagar wrote:
I have an Apache web server with a few virtual hosts. The ftp is handled by proftpd, and I have multiple users defined. These users have their own uid and gid. The problem comes when Apache is uid apache and need to write to the said directory.
I am wondering what other people have done to deal with this. Do people just set all the ftp users uid/gid to the same as the Apache uid/gid on the system? Obviously this would be an ok solution because apache uid/gid != root.
What are the other ways you guys have dealth with this?
Thanks eric
If I have a directory that I want multiple users to write to this is what I do.
Create a group (any name will do)
# groupadd ftp_users
Edit the /etc/group file (there are tools to do this, but vi or emacs are what I prefer)
Change the line (your gid will probably be different)
ftp_users:x:503:
to
ftp_users:x:503:apache,user1,user2,user3,user4
Create a shared directory
# mkdir /var/ftp/pub/shared
Make the directory group owned and writable by ftp_users
# chgrp ftp_users /var/ftp/pub/shared
Set the permissions to allow anyone in that group to write to that directory. Also make the directory setgid. This is important as the sticky bit as it is called will preserve permissions for all files and subdirectories created in that directory.
# chmod g+w,g+s /var/ftp/pub/shared
The directory should look like this.
# ls -ld drwxrwsr-x 2 root ftp_users 4096 Dec 16 12:12 /var/ftp/pub/shared
Now anyone who is in group ftp_users, including apache will be able to write into that directory and people will be able to read and write the files they create. The group members do have to trust each other, but no one else outside the group. Also any files that are created will be owned by the UID who created them, so you know who put them there in the first place. There are of course other permission schemes that can require more or less trust between group members, but this is usually what I do for a shared directory amoung various users, or daemon UID.
Terrence
On Fri, Nov 19, 2004 at 06:31:21AM -0800, Eric Wagar wrote: ...
I have an Apache web server with a few virtual hosts. The ftp is handled by proftpd, and I have multiple users defined. These users have their own uid and gid. The problem comes when Apache is uid apache and need to write to the said directory.
....
What are the other ways you guys have dealth with this?
My first pass thought on this is that "apache" should not be able to write to dirs that contain CGI anything.
If so your users can write scripts to bypass your proftp access policy and audit trail.
When there is a need for a dir that apache can write to, OK. Just not the same set of dirs that your proftpd users can write too. Give each virtual host a tmp and var dir and admonish them to keep their temporary files in their tmp area (see tmpwatch; /etc/cron.daily/tmpwatch). The var dir should be for their data that varies over time under control of apache processes.
This sort of separation can help the sysadmin with backups...
In a virtual host world different virtual host users can install scripts that look at files other user virtual host user scripts futz with. As long at they are not hostile to each other you should be OK.
Some rewrite rules could be used to simplify your user documents and make all user environments look the same.
Read also about the 't' bit for dir permissions.
chmod -t: When the sticky bit is set on a directory, files in that directory may be unlinked or renamed only by root or their owner. Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on directories, such as /tmp, that are world-writable.
why does apache need to write to the vhost dirs?
Eric Wagar wrote:
I have an Apache web server with a few virtual hosts. The ftp is handled by proftpd, and I have multiple users defined. These users have their own uid and gid. The problem comes when Apache is uid apache and need to write to the said directory.
I am wondering what other people have done to deal with this. Do people just set all the ftp users uid/gid to the same as the Apache uid/gid on the system? Obviously this would be an ok solution because apache uid/gid != root.
What are the other ways you guys have dealth with this?
Thanks eric
Virtual hosting user may want to write to their directories, I think.
Recently I stumbled with making up a relatively secure Apache virtual hosting installation. This is my solution to this moment:
1) users are Unix users at my server, they have FTP locked up in their home directories (ProFTPd has this option) 2) Apache httpd service runs with apache uid/gid. apache is member of each user's personal group, so the website is functioning 3) for scripts like PHP to write in user directories, I use suphp module (www.suphp.org) that runs php scripts with their owner's rights. So even if users know about other logins, they cannot just fopen("/home/otheruser/index.php", "r") to read something, because their script doesn't have the right. 4) for CGI scripts (Perl and other stuff), one can use suexec (one of my recent topics here), but I don't have CGI that write in directories, so I don't care.
If anyone has a better solution, please write. I would be glad to know.
Timothy
Harry Hoffman wrote:
why does apache need to write to the vhost dirs?
Eric Wagar wrote:
I have an Apache web server with a few virtual hosts. The ftp is handled by proftpd, and I have multiple users defined. These users have their own uid and gid. The problem comes when Apache is uid apache and need to write to the said directory.
I am wondering what other people have done to deal with this. Do people just set all the ftp users uid/gid to the same as the Apache uid/gid on the system? Obviously this would be an ok solution because apache uid/gid != root.
What are the other ways you guys have dealth with this?
Thanks eric
Eric,
What was the general consesus on your posting listed below? I have the same question...
Thanks,
Roy
On Fri, 2004-11-19 at 06:31, Eric Wagar wrote:
I have an Apache web server with a few virtual hosts. The ftp is handled by proftpd, and I have multiple users defined. These users have their own uid and gid. The problem comes when Apache is uid apache and need to write to the said directory.
I am wondering what other people have done to deal with this. Do people just set all the ftp users uid/gid to the same as the Apache uid/gid on the system? Obviously this would be an ok solution because apache uid/gid != root.
What are the other ways you guys have dealth with this?
Thanks eric
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
Sorry, I am still stuck with point 3. suphp seems to work with PHP as CGI (a problem which suexec also solves). But since my PHP is a module (or filter in Apache2), suphp doesn't help. PHP scripts can't write in the user's directories.
So, I need help with current topic, too :-)
Timothy.
Timothy Ha wrote:
Virtual hosting user may want to write to their directories, I think.
Recently I stumbled with making up a relatively secure Apache virtual hosting installation. This is my solution to this moment:
- users are Unix users at my server, they have FTP locked up in their
home directories (ProFTPd has this option) 2) Apache httpd service runs with apache uid/gid. apache is member of each user's personal group, so the website is functioning 3) for scripts like PHP to write in user directories, I use suphp module (www.suphp.org) that runs php scripts with their owner's rights. So even if users know about other logins, they cannot just fopen("/home/otheruser/index.php", "r") to read something, because their script doesn't have the right. 4) for CGI scripts (Perl and other stuff), one can use suexec (one of my recent topics here), but I don't have CGI that write in directories, so I don't care.
If anyone has a better solution, please write. I would be glad to know.
Timothy
That wasn't the question asked. Allowing a daemon to write to *user* files is asking for trouble!
It's not a good idea.
Virutal users should have their own dirs and apache should be able to *read* NOT WRITE.
Should you need cgi access secure tmp dirs should be created and the sticky bit should be put on the directory.
HTH, Harry
Timothy Ha wrote:
Virtual hosting user may want to write to their directories, I think.
The general consensus was using system level groups. To me that's a great idea. I just hate having to deal with the whining of my user.
The system is used only by two people, myself, and a friend (someone I trust.) It uses pre-built php CMS such as Xoops, phpnuke, and postnuke. So, they need write access to the directories for a short time. (Some of the scripts are installed via a install.php file that is removed after its use.)
I am going to try the group idea and see how that goes with the whining user.
thanks! eric
On Thursday 16 December 2004 02:23 pm, Roy W. Erickson wrote:
Eric,
What was the general consesus on your posting listed below? I have the same question...
Thanks,
Roy
On Fri, 2004-11-19 at 06:31, Eric Wagar wrote:
I have an Apache web server with a few virtual hosts. The ftp is handled by proftpd, and I have multiple users defined. These users have their own uid and gid. The problem comes when Apache is uid apache and need to write to the said directory.
I am wondering what other people have done to deal with this. Do people just set all the ftp users uid/gid to the same as the Apache uid/gid on the system? Obviously this would be an ok solution because apache uid/gid != root.
What are the other ways you guys have dealth with this?
Thanks eric
Am Fr, den 17.12.2004 schrieb Timothy Ha um 0:36:
Sorry, I am still stuck with point 3. suphp seems to work with PHP as CGI (a problem which suexec also solves). But since my PHP is a module (or filter in Apache2), suphp doesn't help. PHP scripts can't write in the user's directories.
Timothy.
I don't know which problem you have with mod_suphp on Fedora, but it does what you wanted it for in your previous mail.
Because of interest I compiled and installed it on one of my FC1 servers and it runs nicely. I created a PHP test script - a counter - and set in the vhost's configuration to run PHP scripts with my UID/GID. According to the configuration I got in the /var/log/httpd/suphp_log:
[Fri Dec 17 03:26:13 2004] [info] Executing /home/adalloz/www/domain.net/html/counter.php as user adalloz (500), group adalloz (500)
The counter.php has to have chmod 750, while with "normal" PHP operation (not by the CGI handler) read permissions would be sufficient.
Alexander
-
Alexander Dalloz -
Eric Wagar -
Harry Hoffman -
Kevin Wang -
Mike Burger -
Roy Erickson -
Terrence Martin -
Timothy Ha -
Tom Mitchell