[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Web Server document permissions

To: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Subject: Re: [Sheflug] Web Server document permissions
From: Marcus Hanwell <linux [at] xxxxxxxxx>
Date: Thu, 13 Nov 2003 17:17:00 +0000
Delivered-to: shef-lug [at] list.sheflug.org.uk
List-help: <mailto:shef-lug-request [at] list.sheflug.org.uk?subject=help>
List-id: Sheflug <shef-lug.list.sheflug.org.uk>
List-post: <mailto:shef-lug [at] list.sheflug.org.uk>
List-subscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=subscribe>
List-unsubscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=unsubscribe>
Organization: Cryos Net Consultancy
Reply-to: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Sender: shef-lug-admin [at] xxxxxxxxxxxxxxxxxxx

On Thu, 2003-11-13 at 16:37, Ashe wrote:
> I don't know if theres a definitive answer for this one, or just various means 
> with various drawbacks, but anyway...
> 
> On my server, the web directory (/var/www/html) is owned by root and under 
> root group, which means that any time I want to alter the webpages, I have to 
> create everything, upload it somewhere else, then su into root and copy 
> across, which seems like a very cumbersome way of going about it. Are there 
> any ways that this can be stepped around without it being too insecure?
> 
Without being definite as to whether this is the best way or not, what I
like to do is change ownership of the root web directory to the user who
uploads the files, and the apache group.

The user is not a member of the apache group though - important for how
I set it up. I then make sure that all files are readable by the apache
group, but not writable or executable. Obviously the user has full
access and other has absolutely no access. The last point only matters
for files with sensitive password information in them.

This seems to work well for me on the whole. I usually use a create mask
of rw-r-----. I can then make any perl scripts executable for both the
user and the apache group. As far as I am aware this stops all direct
methods of access to the files. Although I can still make a PHP script
to read the contents of any file in another directory if I know it's
name so long as apache group has access.

I am not sure what the way around this is to be honest. You need to
change the group Apache executes under according to which web tree it is
serving may be? You could start multiple instances of Apache bound to
different IPs to do this.

I would love to know of any better ways to do it, other than kicking an
offending user off once you note his/her activities! It's more than a
little late by that point. UML is another extreme way around it. Best to
have a dedicated server if you have the money and only let those you
trust use it :)

___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.

References:
- [Sheflug] Web Server document permissions
  - From: Ashe

Prev by Date: [Sheflug] Web Server document permissions
Next by Date: Re: [Sheflug] Web Server document permissions
Previous by thread: [Sheflug] Web Server document permissions
Next by thread: Re: [Sheflug] Web Server document permissions
Index(es):
- Date
- Thread