[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Web servers again...


----- Original Message ----- 
From: "Chris J" <cej [at] nightwolf.org.uk>
To: <shef-lug [at] list.sheflug.org.uk>
Sent: Thursday, August 28, 2003 7:49 PM
Subject: Re: [Sheflug] Web servers again...


> >
> > I have a php script which is designed to be run as the 404 error handler
to
> > create thumbnails of graphic files. As this
> > script runs on demand, it needs write access to the whole of the web
space.
> >
> > So, I am looking at
> >
> > a) can I make this one script run as root?
> >
>
> Ow! Ow! Ow!
>
> Unless you are certain of both your script /and/ that PHP cannot be
> compromised this is a horribly bad idea! And even if you are certain it's
> still a bad idea!

That was my thoughts on things as well.
>
>
> > b) make whole web folder chmod 777?
> >
>
> Again, security problems with this.

Absolutely
>
> > c) attempt to create a user that is a member of all groups, but is not
> > root.? (there are about 40 groups in total)
> >
> > Am I right in thinking you can not put groups into groups? (This is how
we
> > got round the problem on NT).
>
> Correct, but you can get a patch to do POSIX ACL's (kernel 2.6 should have
> this natively ... huzzah!).
>
> I think the best approach is to see what you can do with a UNIX filesystem
> itself :) A little overlooked option on standard permissions is the group-
> sticky bit on directories. When a directory has this on, then any file
> created under it will have the group ownership of the directory. Thus if
you
> force all web directories to be in a single group, all your script
requires
> is access /to that group/.
>
> chmod g+s on the directory to play. You may want to experiment a little to
> see if this does for your needs.
>
Interesting, the problem is that I am already using the groups to allow edit
access to the different
groups of people, each department is assigned to a group, though setting the
sticky bit would solve the problem
of admin adding content and it not being editable by the rest of that staff
group.

Can you set the user in the same way? If I could make the user sticky, so
all files were owned by wwwrun, with the correct
group permissions things would be much better?

> If you end up needing a script to do the job and it has to run as root
then
> have that process as a completely seperate thing that the CGI/PHP script
> sets a trigger - this way there is a good isolation gap between the web
> process and the root process. Alternatively, is there a need for this
thing
> to run as a 404 handler? Could it not just run from cron every so often?
>
> Chris...
>

Yes, that was the way I was starting to think, unfortunately the 404 is
really needed, unless I wanted
to run a cron job every 5 mins or something.

Think I need to look at the sticky flags.

Thanks

Rob Keeling

___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.