[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Web servers again...

To: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Subject: Re: [Sheflug] Web servers again...
From: "Chris J" <cej [at] xxxxxxxxxxxxxxxx>
Date: Thu, 28 Aug 2003 19:49:22 +0100 (BST)
Delivered-to: shef-lug [at] list.sheflug.org.uk
List-help: <mailto:shef-lug-request [at] list.sheflug.org.uk?subject=help>
List-id: Sheflug <shef-lug.list.sheflug.org.uk>
List-post: <mailto:shef-lug [at] list.sheflug.org.uk>
List-subscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=subscribe>
List-unsubscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=unsubscribe>
Reply-to: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Sender: shef-lug-admin [at] xxxxxxxxxxxxxxxxxxx

> 
> I have a php script which is designed to be run as the 404 error handler to
> create thumbnails of graphic files. As this
> script runs on demand, it needs write access to the whole of the web space.
> 
> So, I am looking at
> 
> a) can I make this one script run as root?
> 

Ow! Ow! Ow!

Unless you are certain of both your script /and/ that PHP cannot be 
compromised this is a horribly bad idea! And even if you are certain it's
still a bad idea!


> b) make whole web folder chmod 777?
> 

Again, security problems with this.

> c) attempt to create a user that is a member of all groups, but is not
> root.? (there are about 40 groups in total)
> 
> Am I right in thinking you can not put groups into groups? (This is how we
> got round the problem on NT).

Correct, but you can get a patch to do POSIX ACL's (kernel 2.6 should have
this natively ... huzzah!).

I think the best approach is to see what you can do with a UNIX filesystem
itself :) A little overlooked option on standard permissions is the group-
sticky bit on directories. When a directory has this on, then any file
created under it will have the group ownership of the directory. Thus if you
force all web directories to be in a single group, all your script requires
is access /to that group/.

chmod g+s on the directory to play. You may want to experiment a little to
see if this does for your needs.

If you end up needing a script to do the job and it has to run as root then
have that process as a completely seperate thing that the CGI/PHP script
sets a trigger - this way there is a good isolation gap between the web
process and the root process. Alternatively, is there a need for this thing
to run as a 404 handler? Could it not just run from cron every so often?

Chris...

-- 
\ Chris Johnson           \
 \ cej [at] nightwolf.org.uk    ~-----,   
  \ http://cej.nightwolf.org.uk/  ~-----------------------------------, 
   \ Redclaw chat - http://redclaw.org.uk - telnet redclaw.org.uk 2000 \____
___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.

Follow-Ups:
- Re: [Sheflug] Web servers again...
  - From: Rob Keeling

References:
- [Sheflug] Web servers again...
  - From: Rob Keeling

Prev by Date: [Sheflug] Web servers again...
Next by Date: Re: [Sheflug] Web servers again...
Previous by thread: [Sheflug] Web servers again...
Next by thread: Re: [Sheflug] Web servers again...
Index(es):
- Date
- Thread