I'm setting up a shared web server running Apache. Each web root will belong to a department, which has a corresponding Active Directory group to give access. So far I've got samba working and such, but am having some trouble wrapping my head around the necessary permissions to make all this work, especially securely. So far I've found that both the POSIX and the ACL permissions must both allow a user to write to directory which is proving problematic. Is it better to give the web root directories very "loose" permissions and have Samba manage who can access the folders?
A few options I've come across would have a user's logged in account mapped to the "apache" user through samba, using the "force user", but that seems like a security risk allowing users to be apache. Another option I currently have working is using a default ACL for apache to give the web server read of all the files. The problem I have with this is some directories require write and some files should have read only (like db config files), so again a global permission set doesn't seem to work.
I'd be very interested in knowing how someone has solved a problem like this.
Thanks - Trey
On Mon, 2011-08-08 at 21:32 -0500, Trey Dockendorf wrote:
I'm setting up a shared web server running Apache. Each web root will belong to a department, which has a corresponding Active Directory group to give access. So far I've got samba working and such, but am having some trouble wrapping my head around the necessary permissions to make all this work, especially securely. So far I've found that both the POSIX and the ACL permissions must both allow a user to write to directory which is proving problematic. Is it better to give the web root directories very "loose" permissions and have Samba manage who can access the folders?
A few options I've come across would have a user's logged in account mapped to the "apache" user through samba, using the "force user", but that seems like a security risk allowing users to be apache. Another option I currently have working is using a default ACL for apache to give the web server read of all the files. The problem I have with this is some directories require write and some files should have read only (like db config files), so again a global permission set doesn't seem to work.
I'd be very interested in knowing how someone has solved a problem like this.
---- mkdir /var/www/html/department_a chown root:department_a /var/www/html/department_a chmod g+ws /var/www/html/department_a
smb.conf
[Department A Web] comment = Department A Web Server browseable = Yes # your call on this one writeable = yes path = /var/www/html/department_a directory mask = 775 create mask = 664 valid users = @department_a
That should work. If you have spaces in group names (one of the things I love about Windows), use @"department a"
Craig
On Mon, 2011-08-08 at 19:52 -0700, Craig White wrote:
mkdir /var/www/html/department_a chown root:department_a /var/www/html/department_a chmod g+ws /var/www/html/department_a
In which case you probably want to add apache to the department_a group. And all users accessing that share of course, although the sgid will always set the gid correctly, assuming the user can actually write there which is easier to accomplish if they share that group.
There's probably a way to add apache to that group with a configuration on the local machine so it doesn't have to query your ADS/NMB server. Not sure about the details but the docs at http://samba.org/samba/docs/ are invaluable.
And if you use php applications with safe mode you need php_admin_value safe_mode_gid on so apache accesses them on gid not uid.
Regards, Leonard.
On Aug 8, 2011, at 11:31 PM, Leonard den Ottolander wrote:
On Mon, 2011-08-08 at 19:52 -0700, Craig White wrote:
mkdir /var/www/html/department_a chown root:department_a /var/www/html/department_a chmod g+ws /var/www/html/department_a
In which case you probably want to add apache to the department_a group. And all users accessing that share of course, although the sgid will always set the gid correctly, assuming the user can actually write there which is easier to accomplish if they share that group.
There's probably a way to add apache to that group with a configuration on the local machine so it doesn't have to query your ADS/NMB server. Not sure about the details but the docs at http://samba.org/samba/docs/ are invaluable.
---- I'm quite sure that if all the files are owned by the 'department_a' group and 'readable' by user apache as I have indicated, they should be with the given configuration, there's absolutely no need to do any mucking with local users or groups at all.
The reality is that this machine will query AD/NMB server each time a non-local user does anything on this system (read or write) and the only thing that will lighten that load is something like NSCD (good luck with that - not always a great option with samba).
There are two important features of what I proposed... - sgid means that all files/folders created within will always belong to department_a group - create mask 664 & directory mask 775 means that each file & directory created - group will always get rw privileges and everyone else (ie user apache) has 'read' privileges.
The only weakness of this theory as I see it, is that there very well may be files - perhaps config files that you wouldn't want anyone to be able to see and you probably will have to have some <Directory> restrictions in Apache's configuration to prevent web users from accessing them.
Craig
On 8/9/2011 10:44 AM, Craig White wrote:
There's probably a way to add apache to that group with a configuration on the local machine so it doesn't have to query your ADS/NMB server. Not sure about the details but the docs at http://samba.org/samba/docs/ are invaluable.
I'm quite sure that if all the files are owned by the 'department_a' group and 'readable' by user apache as I have indicated, they should be with the given configuration, there's absolutely no need to do any mucking with local users or groups at all.
The reality is that this machine will query AD/NMB server each time a non-local user does anything on this system (read or write) and the only thing that will lighten that load is something like NSCD (good luck with that - not always a great option with samba).
Really? I thought samba would map a connection to a uid at connect time.
There are two important features of what I proposed...
- sgid means that all files/folders created within will always belong to department_a group
You can also do a 'force group' in the samba config for a share instead of or besides the sgid directory.
- create mask 664& directory mask 775 means that each file& directory created - group will always get rw privileges and everyone else (ie user apache) has 'read' privileges.
The only weakness of this theory as I see it, is that there very well may be files - perhaps config files that you wouldn't want anyone to be able to see and you probably will have to have some<Directory> restrictions in Apache's configuration to prevent web users from accessing them.
There are also likely situations where the web server needs write access, although those cases should be handled carefully or avoided where possible.
On Aug 9, 2011, at 9:02 AM, Les Mikesell wrote:
On 8/9/2011 10:44 AM, Craig White wrote:
There's probably a way to add apache to that group with a configuration on the local machine so it doesn't have to query your ADS/NMB server. Not sure about the details but the docs at http://samba.org/samba/docs/ are invaluable.
I'm quite sure that if all the files are owned by the 'department_a' group and 'readable' by user apache as I have indicated, they should be with the given configuration, there's absolutely no need to do any mucking with local users or groups at all.
The reality is that this machine will query AD/NMB server each time a non-local user does anything on this system (read or write) and the only thing that will lighten that load is something like NSCD (good luck with that - not always a great option with samba).
Really? I thought samba would map a connection to a uid at connect time.
---- indeed it does but that doesn't mean that the system won't keep polling the authoritative account info source. ----
There are two important features of what I proposed...
- sgid means that all files/folders created within will always belong to department_a group
You can also do a 'force group' in the samba config for a share instead of or besides the sgid directory.
---- true but: 1 - force anything seems to be a little heavy handed 2 - using sgid means that anyone using a shell will also create files/directories with the same group - using 'force group' only has implications for samba connections. Using sgid encompasses all methods of access. ----
- create mask 664& directory mask 775 means that each file& directory created - group will always get rw privileges and everyone else (ie user apache) has 'read' privileges.
The only weakness of this theory as I see it, is that there very well may be files - perhaps config files that you wouldn't want anyone to be able to see and you probably will have to have some<Directory> restrictions in Apache's configuration to prevent web users from accessing them.
There are also likely situations where the web server needs write access, although those cases should be handled carefully or avoided where possible.
---- indeed
Craig
On Tue, Aug 9, 2011 at 11:54 AM, Craig White craig.white@ttiltd.com wrote:
On Aug 9, 2011, at 9:02 AM, Les Mikesell wrote:
On 8/9/2011 10:44 AM, Craig White wrote:
There's probably a way to add apache to that group with a configuration on the local machine so it doesn't have to query your ADS/NMB server. Not sure about the details but the docs at
are invaluable.
I'm quite sure that if all the files are owned by the 'department_a'
group and 'readable' by user apache as I have indicated, they should be with the given configuration, there's absolutely no need to do any mucking with local users or groups at all.
The reality is that this machine will query AD/NMB server each time a
non-local user does anything on this system (read or write) and the only thing that will lighten that load is something like NSCD (good luck with that - not always a great option with samba).
Really? I thought samba would map a connection to a uid at connect time.
indeed it does but that doesn't mean that the system won't keep polling the authoritative account info source.
There are two important features of what I proposed...
- sgid means that all files/folders created within will always belong to
department_a group
You can also do a 'force group' in the samba config for a share instead of or besides the sgid directory.
true but: 1 - force anything seems to be a little heavy handed 2 - using sgid means that anyone using a shell will also create files/directories with the same group - using 'force group' only has implications for samba connections. Using sgid encompasses all methods of access.
- create mask 664& directory mask 775 means that each file& directory
created - group will always get rw privileges and everyone else (ie user apache) has 'read' privileges.
The only weakness of this theory as I see it, is that there very well
may be files - perhaps config files that you wouldn't want anyone to be able to see and you probably will have to have some<Directory> restrictions in Apache's configuration to prevent web users from accessing them.
There are also likely situations where the web server needs write access, although those cases should be handled carefully or avoided where possible.
indeed
Craig _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Excellent advice thank you!!!
I was very close to the same conclusion, but have never messed with SGID , but that definately helps especially as I make changes on the command line side while my users do it via Samba.
Also a side note...NONE of this will work if your testing creating files from a Mac. You have to add "unix extensions = no " to the Samba global config section. Once I did that the create mask and directory mask options began to work.
Now I have a new requirement passed to me, which is a bit more complicated.
How would I allow individual users the ability only to access specific subfolders within that share without them being a part of the department_a group? My initial idea was to make use of ACLs, but if the POSIX permissions don't allow them write access, then ACLs won't help, will they ? The model is I need users of group department_a to have full control over this share while allowing individual faculty members to access only their personal folders within this share.
Thanks again, - Trey
On 8/9/2011 12:32 PM, Trey Dockendorf wrote:
Now I have a new requirement passed to me, which is a bit more complicated.
How would I allow individual users the ability only to access specific subfolders within that share without them being a part of the department_a group? My initial idea was to make use of ACLs, but if the POSIX permissions don't allow them write access, then ACLs won't help, will they ? The model is I need users of group department_a to have full control over this share while allowing individual faculty members to access only their personal folders within this share.
You could make a separate samba share with different ownership. At some point it might make more sense to use a web-based content manager that understands logins/permissions or perhaps a wiki that permits uploads instead of randomly mapping file access around. If the users in question already have home directories on the server you might make things work for individuals with symlinks out of their home directories that show up by default in samba - or map the URLs into the public_html directory you get with ~ expansion so the home directories are self-contained.
On Tue, Aug 9, 2011 at 12:56 PM, Les Mikesell lesmikesell@gmail.com wrote:
On 8/9/2011 12:32 PM, Trey Dockendorf wrote:
Now I have a new requirement passed to me, which is a bit more
complicated.
How would I allow individual users the ability only to access specific subfolders within that share without them being a part of the department_a group? My initial idea was to make use of ACLs, but if the POSIX permissions don't allow them write access, then ACLs won't help, will they ? The model is I need users of group department_a to have full control over this share while allowing individual faculty members to access only their personal folders within this share.
You could make a separate samba share with different ownership. At some point it might make more sense to use a web-based content manager that understands logins/permissions or perhaps a wiki that permits uploads instead of randomly mapping file access around. If the users in question already have home directories on the server you might make things work for individuals with symlinks out of their home directories that show up by default in samba - or map the URLs into the public_html directory you get with ~ expansion so the home directories are self-contained.
-- Les Mikesell lesmikesell@gmail.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
That will probably be the best option while we move these sites to a CMS. The users are accustomed to using Windows drive letters that are mapped by our AD to access their content, and I'd like to have to leave that intact for now.
Now the fun part of making that many share definitions not take up 100's of lines in my puppet node definitions :-/.
In case anyone is interested I've uploaded what I have thus far for my Puppet samba module. It's here, https://github.com/treydock/puppet-samba
Thanks - Trey
On 8/9/2011 4:34 PM, Trey Dockendorf wrote:
You could make a separate samba share with different ownership. At some point it might make more sense to use a web-based content manager that understands logins/permissions or perhaps a wiki that permits uploads instead of randomly mapping file access around.
That will probably be the best option while we move these sites to a CMS. The users are accustomed to using Windows drive letters that are mapped by our AD to access their content, and I'd like to have to leave that intact for now.
I haven't looked closely at it for a while, but Alfresco claims to do both. http://www.alfresco.com/community/
That is, it can appear as a file share via jcifs while still layering its content management logic over the view/access in the same way the web server side does (and nfs, ftp, and webdav...).
On Tuesday, August 09, 2011 05:34:52 PM Trey Dockendorf wrote:
That will probably be the best option while we move these sites to a CMS. The users are accustomed to using Windows drive letters that are mapped by our AD to access their content, and I'd like to have to leave that intact for now.
Just as a pointer, have you looked at some form of WebDAV? Many CMS's (Plone, for instance) can do WebDAV out of the box, and it's rather transparent, especially with a frontend like Enfold Desktop. You could then migrate one user at a time, even, if you stage it properly.
It seems to be more efficient and at least as secure as SMB/CIFS shares are. And requires many fewer network 'concessions' to the protocol involved....
On the first page of a google search for 'WebDAV "mapped drive letter"' I find: http://systembash.com/content/map-drive-letter-sftp-ssh-review/ which looks pretty interesting to me....
On Aug 9, 2011, at 10:32 AM, Trey Dockendorf wrote:
On Tue, Aug 9, 2011 at 11:54 AM, Craig White craig.white@ttiltd.com wrote:
On Aug 9, 2011, at 9:02 AM, Les Mikesell wrote:
On 8/9/2011 10:44 AM, Craig White wrote:
There's probably a way to add apache to that group with a configuration on the local machine so it doesn't have to query your ADS/NMB server. Not sure about the details but the docs at http://samba.org/samba/docs/ are invaluable.
I'm quite sure that if all the files are owned by the 'department_a' group and 'readable' by user apache as I have indicated, they should be with the given configuration, there's absolutely no need to do any mucking with local users or groups at all.
The reality is that this machine will query AD/NMB server each time a non-local user does anything on this system (read or write) and the only thing that will lighten that load is something like NSCD (good luck with that - not always a great option with samba).
Really? I thought samba would map a connection to a uid at connect time.
indeed it does but that doesn't mean that the system won't keep polling the authoritative account info source.
There are two important features of what I proposed...
- sgid means that all files/folders created within will always belong to department_a group
You can also do a 'force group' in the samba config for a share instead of or besides the sgid directory.
true but: 1 - force anything seems to be a little heavy handed 2 - using sgid means that anyone using a shell will also create files/directories with the same group - using 'force group' only has implications for samba connections. Using sgid encompasses all methods of access.
- create mask 664& directory mask 775 means that each file& directory created - group will always get rw privileges and everyone else (ie user apache) has 'read' privileges.
The only weakness of this theory as I see it, is that there very well may be files - perhaps config files that you wouldn't want anyone to be able to see and you probably will have to have some<Directory> restrictions in Apache's configuration to prevent web users from accessing them.
There are also likely situations where the web server needs write access, although those cases should be handled carefully or avoided where possible.
indeed
Craig _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Excellent advice thank you!!!
I was very close to the same conclusion, but have never messed with SGID , but that definately helps especially as I make changes on the command line side while my users do it via Samba.
Also a side note...NONE of this will work if your testing creating files from a Mac. You have to add "unix extensions = no " to the Samba global config section. Once I did that the create mask and directory mask options began to work.
Now I have a new requirement passed to me, which is a bit more complicated.
How would I allow individual users the ability only to access specific subfolders within that share without them being a part of the department_a group? My initial idea was to make use of ACLs, but if the POSIX permissions don't allow them write access, then ACLs won't help, will they ? The model is I need users of group department_a to have full control over this share while allowing individual faculty members to access only their personal folders within this share.
---- you really should have been able to fix this one yourself.
you can use any combination of 'read list' and 'write list' including multiple groups within the share definition of course these govern the whole share itself or you can use Windows ACL's to set individual file/folder permissions (but that tends to be confusing for many people).
Another option is to create a new share for the 'read only' users and just create symbolic links inside the read only share for those users.
generally, I encourage Macintosh users to use 'netatalk' (AFP over TCP/IP) shares which are probably the same shares with almost identical configuration details but the current version of netatalk is awfully difficult to get installed on CentOS 5 - probably easier on CentOS 6 but I've made the switch to Ubuntu for newer installs. Of course then you have to add 'Veto files' on samba because Macintosh's leave a lot of clutter behind on a server. The notion of a Macintosh having to resort to Windows protocol to use a Linux server is rather ugly.
Craig
On Tue, 2011-08-09 at 13:33 -0700, Craig White wrote:
The notion of a Macintosh having to resort to Windows protocol to use a Linux server is rather ugly.
Heh. If only...
I just started a job where I work with a Mac as my desktop. Had it connect to my Fedora 15 netbook via NFS, only to see Fedora oops (something with encode_nlm_stat). So I had to fall back to samba ;p . Remind me to file a bug on that once I figure out how to make abrt log an oops :).
Regards, Leonard.
Hello Craig,
On Tue, 2011-08-09 at 08:44 -0700, Craig White wrote:
I'm quite sure that if all the files are owned by the 'department_a' group and 'readable' by user apache as I have indicated,
- create mask 664 & directory mask 775
Perhaps I should have made explicit in my post that I wouldn't recommend such file permissions. Apache accessing files with world permissions is ugly and it makes it impossible to run f.e. php with safe_mode or have apache write files other than by allowing the world write access. Which is why I described that setup with a shared group.
Regards, Leonard.
On Tue, 2011-08-09 at 23:03 +0200, Leonard den Ottolander wrote:
Hello Craig,
On Tue, 2011-08-09 at 08:44 -0700, Craig White wrote:
I'm quite sure that if all the files are owned by the 'department_a' group and 'readable' by user apache as I have indicated,
- create mask 664 & directory mask 775
Perhaps I should have made explicit in my post that I wouldn't recommend such file permissions. Apache accessing files with world permissions is ugly and it makes it impossible to run f.e. php with safe_mode or have apache write files other than by allowing the world write access. Which is why I described that setup with a shared group.
---- please explain to me how the above octal permissions with user root & group department_a translate to giving apache write access or even world write access.
For that matter, please explain how if any html directory served by apache (runs as user/group apache/apache)...
user/group root/department_group files 0664 directories 1775
are in any way vulnerable to world write access or otherwise represent an insecure configuration because I want to learn.
I think this is reasonably secure configuration.
Craig
On Wed, 2011-08-10 at 18:18 -0700, Craig White wrote:
For that matter, please explain how if any html directory served by apache (runs as user/group apache/apache)...
user/group root/department_group files 0664 directories 1775
are in any way vulnerable to world write access or otherwise represent an insecure configuration because I want to learn.
All mine are:-
files: root r/w, group r, others r directories: root rwx, group x, others x
except .htaccess for each domain which is writable by Apache because, at the slightest hacking attempt, the hackers IP address is instantly added to the .htaccess with a Deny statement.
Hello Craig,
On Wed, 2011-08-10 at 18:18 -0700, Craig White wrote:
please explain to me how the above octal permissions with user root & group department_a translate to giving apache write access or even world write access.
I think you misunderstood what I meant... I claimed that if apache is no part of the department_a group the only way to give apache write access is by giving the world write access. With the setup as you suggested it is impossible to give apache write access without giving the whole world write access where apache needs to write.
Of course with my setup the problem is apache has write access everywhere the group has write access (using 2770 for directories).
(The approach of adding apache to a shared user-apache group does work well for single user directories. Using 2750 for apache read and 2770 for apache write. Perhaps an smb mapping to a user on the affected shares fixes the issue with my approach.)
<snip sarcasm>
I think this is reasonably secure configuration.
Perhaps the setup you suggest is the best approach, but it has it's limitations. It makes it impossible to give apache write access to certain directories without giving the world write access there, and it makes it impossible to use php with safe_mode.
Regards, Leonard.
Trey Dockendorf wrote:
I'm setting up a shared web server running Apache. Each web root will belong to a department, which has a corresponding Active Directory group to give access. So far I've got samba working and such, but am having some trouble wrapping my head around the necessary permissions to make
<snip>
I'd be very interested in knowing how someone has solved a problem like this.
What I've done, where developers, for example, need to put updated pages in, is to have the directories owned by apache/httpd, but the *group* that they belong to, and make it group writeable.
mark
On 08/09/11 6:33 AM, m.roth@5-cent.us wrote:
What I've done, where developers, for example, need to put updated pages in, is to have the directories owned by apache/httpd, but the*group* that they belong to, and make it group writeable.
you don't actually want apache/http to own ANY of the web content, it should all be read only from the webserver's perspective. this way if the web server gets hacked, it can't be used to upload hostile content.
Ngày 09:32 09/08/2011, Trey Dockendorf viết:
I'm setting up a shared web server running Apache.
If they are OK with svn, why not go for svn+ssh and and and svn update cronjob on httpd side?
I presume that human being always makes error, so the reason is that you can track the change and save their ass of misoperation.
Cheers,
Nguyen Vu Hung
-
Always Learning -
Craig White -
Craig White -
John R Pierce -
Lamar Owen -
Leonard den Ottolander -
Les Mikesell -
m.roth@5-cent.us -
Nguyen Vu Hung -
Trey Dockendorf