Hi,
I'm currently sinking my teeth into the fine "Definitive Guide to CentOS". Right now I'm reading the chapter about Apache. One thing puzzles me: no mention is made of web page permissions.
Let's say I'm using Apache's default configuration for setting up the most simple no-frills web server, e. g. no virtual hosts, only a series of static HTML pages in /var/www/html.
Q: what permissions should I define for these pages?
I remember having setup some web servers on Debian, and the tradition was that everything under /var/www/html (as in this example) was to be owned by user www-data and group www-data.
What's the "tradition" with RHEL/CentOS?
Cheers,
Niki
On Tue, 2009-09-15 at 10:20 +0200, Niki Kovacs wrote:
I remember having setup some web servers on Debian, and the tradition was that everything under /var/www/html (as in this example) was to be owned by user www-data and group www-data.
What's the "tradition" with RHEL/CentOS?
apache:apache - at least that is the UID/GID the webserver runs under.
Ralph
On Tue, 2009-09-15 at 13:27 +0200, Niki Kovacs wrote:
Ralph Angenendt a écrit :
apache:apache - at least that is the UID/GID the webserver runs under.
Thanks very much... and thumbs up to one of the authors. I really like the book.
That chapter was written by someone else, though :)
Ralph
On Tue, Sep 15, 2009 at 6:39 AM, Ralph Angenendt ralph.angenendt@gmail.com wrote:
On Tue, 2009-09-15 at 10:20 +0200, Niki Kovacs wrote:
I remember having setup some web servers on Debian, and the tradition was that everything under /var/www/html (as in this example) was to be owned by user www-data and group www-data.
What's the "tradition" with RHEL/CentOS?
apache:apache - at least that is the UID/GID the webserver runs under.
Ralph
This is EXTREMELY DANGEROUS!!!! Do NOT give the same ownership to the files as the user/group that apache runs as! As apache runs as apache:apache, setting all of the files with that same owner/group gives everyone on the Internet the possibility to write to any web server files on your server. DO NOT DO THIS!!!
If there's a bug that allows file write access in apache or in any of the program files you run as cgi/php/etc..., then an attacker can write to anywhere in your web site/web app, and gain access to pretty much the entire server. They could plant malware that is served up to all your web users, implant programs that you might run yourself or as root, possibly open up shell access and login to your server, etc...
The correct permissions for all of your web files are any user that the web server is NOT running as. If your web apps need the ability to upload files or to write to specific files, you will have to change those exceptions to apache:apache, but keep that as minimal as possible.
Hi,
On Tue, Sep 15, 2009 at 06:39, Ralph Angenendt ralph.angenendt@gmail.com wrote:
On Tue, 2009-09-15 at 10:20 +0200, Niki Kovacs wrote:
I remember having setup some web servers on Debian, and the tradition was that everything under /var/www/html (as in this example) was to be owned by user www-data and group www-data.
What's the "tradition" with RHEL/CentOS?
apache:apache - at least that is the UID/GID the webserver runs under.
That's wrong. If your files are owned by Apache, any user that can break into your server through Apache will be able to change those files (i.e., deface your website).
In Debian Apache runs under (IIRC) www-run which is different from www-data.
In other words, your files should be "readable" and not "writable" by user Apache.
You might choose to achieve that by setting file permissions to 640 and directory permissions to 750 and ownership root:apache or youruser:apache, or setting file/directory ownership to world-readable and then any owner/group different than "apache" would do.
The only files you want writable by Apache are the ones that a web application needs to write, like session files in PHP or config file controlled by a web admin interface.
HTH, Filipe
Filipe Brandenburger wrote:
On Tue, Sep 15, 2009 at 06:39, Ralph Angenendt ralph.angenendt@gmail.com wrote:
On Tue, 2009-09-15 at 10:20 +0200, Niki Kovacs wrote:
I remember having setup some web servers on Debian, and the tradition was that everything under /var/www/html (as in this example) was to be owned by user www-data and group www-data.
What's the "tradition" with RHEL/CentOS?
apache:apache - at least that is the UID/GID the webserver runs under.
That's wrong. If your files are owned by Apache, any user that can break into your server through Apache will be able to change those files (i.e., deface your website).
Why wrong? Concerning webdav, how would you get write acces for users to write to directories?
Now I am a little bit confused, is your answer under http://www.linux-archive.org/centos/354005-webdav-centos.html also wrong now? You recommended apache:apache for webdav there.
By the way, if someone breaks into your server through Apache, apache:apache is your lowest problem, that's my opinion.
regards Olaf
On Tue, Sep 15, 2009 at 11:58 AM, Olaf Mueller daily-planet@istari.de wrote:
Filipe Brandenburger wrote:
On Tue, Sep 15, 2009 at 06:39, Ralph Angenendt ralph.angenendt@gmail.com wrote:
On Tue, 2009-09-15 at 10:20 +0200, Niki Kovacs wrote:
I remember having setup some web servers on Debian, and the tradition was that everything under /var/www/html (as in this example) was to be owned by user www-data and group www-data.
What's the "tradition" with RHEL/CentOS?
apache:apache - at least that is the UID/GID the webserver runs under.
That's wrong. If your files are owned by Apache, any user that can break into your server through Apache will be able to change those files (i.e., deface your website).
Why wrong? Concerning webdav, how would you get write acces for users to write to directories?
Now I am a little bit confused, is your answer under http://www.linux-archive.org/centos/354005-webdav-centos.html also wrong now? You recommended apache:apache for webdav there.
One must think about the application at hand and not make blanket statements about this or that. Obviously, as noted above, anything that needs write access to the server disk will need to be owned by the user who is running apache. WebDAV would clearly be one of those cases, while hosting a web site would not.
You are being disingenuous here by selectively editing out the relevant quoted text from the same message above, which I will add back in as a quote here:
> Filipe Brandenburger wrote: > The only files you want writable by Apache are the ones that a web > application needs to write, like session files in PHP or config file > controlled by a web admin interface.
By the way, if someone breaks into your server through Apache, apache:apache is your lowest problem, that's my opinion.
regards Olaf
This statement is quite silly. The type of configuration above could be the vector by which the server is compromised, so it is not at all the lowest problem. In that case it WOULD *BE* the problem.
Brian Mathis wrote:
You are being disingenuous here by selectively editing out the relevant quoted text from the same message above, which I will add back in as a quote here:
Disingenuous? Seems to me that it is a question of truth for you.
Once again. 'apache:apache' is a risk, but it is not wrong. And sometimes it is also needed, since webdave, for example, doesn't work without it. That was what I have tried to work out.
> Filipe Brandenburger wrote: > The only files you want writable by Apache are the ones that > a web application needs to write, like session files in PHP > or config file controlled by a web admin interface.By the way, if someone breaks into your server through Apache, apache:apache is your lowest problem, that's my opinion.
regards Olaf
This statement is quite silly. The type of configuration above could
Thank you, it is my greeting. You are silly too.
be the vector by which the server is compromised, so it is not at all the lowest problem. In that case it WOULD *BE* the problem.
Don't know why you are screaming here, maybe it is your personality.
regards Olaf
Olaf Mueller wrote:
Filipe Brandenburger wrote:
On Tue, Sep 15, 2009 at 06:39, Ralph Angenendt ralph.angenendt@gmail.com wrote:
On Tue, 2009-09-15 at 10:20 +0200, Niki Kovacs wrote:
I remember having setup some web servers on Debian, and the tradition was that everything under /var/www/html (as in this example) was to be owned by user www-data and group www-data.
What's the "tradition" with RHEL/CentOS?
apache:apache - at least that is the UID/GID the webserver runs under.
That's wrong. If your files are owned by Apache, any user that can break into your server through Apache will be able to change those files (i.e., deface your website).
Why wrong? Concerning webdav, how would you get write acces for users to write to directories?
Now I am a little bit confused, is your answer under http://www.linux-archive.org/centos/354005-webdav-centos.html also wrong now? You recommended apache:apache for webdav there.
Webdav resources typically need write access.
By the way, if someone breaks into your server through Apache, apache:apache is your lowest problem, that's my opinion.
It is a fairly high risk if you run server-side code (php, perl, etc) for anything. It lets the intruder write where apache is allowed to write. That doesn't have to be anywhere unless you permit uploads.
Les Mikesell wrote:
Olaf Mueller wrote:
Filipe Brandenburger wrote:
On Tue, Sep 15, 2009 at 06:39, Ralph Angenendt ralph.angenendt@gmail.com wrote:
On Tue, 2009-09-15 at 10:20 +0200, Niki Kovacs wrote:
I remember having setup some web servers on Debian, and the tradition was that everything under /var/www/html (as in this example) was to be owned by user www-data and group www-data.
What's the "tradition" with RHEL/CentOS?
apache:apache - at least that is the UID/GID the webserver runs under.
That's wrong. If your files are owned by Apache, any user that can break into your server through Apache will be able to change those files (i.e., deface your website).
Why wrong? Concerning webdav, how would you get write acces for users to write to directories?
Now I am a little bit confused, is your answer under http://www.linux-archive.org/centos/354005-webdav-centos.html also wrong now? You recommended apache:apache for webdav there.
Webdav resources typically need write access.
By the way, if someone breaks into your server through Apache, apache:apache is your lowest problem, that's my opinion.
It is a fairly high risk if you run server-side code (php, perl, etc) for anything. It lets the intruder write where apache is allowed to write. That doesn't have to be anywhere unless you permit uploads.
Yes, that is also my opinion. The thing, which disturbed me, was the statement "That's wrong.". Since it is a risk, but not wrong.
regards Olaf
Hi,
On Tue, Sep 15, 2009 at 11:58, Olaf Mueller daily-planet@istari.de wrote:
Filipe Brandenburger wrote:
On Tue, Sep 15, 2009 at 06:39, Ralph Angenendt ralph.angenendt@gmail.com wrote:
apache:apache - at least that is the UID/GID the webserver runs under.
That's wrong. If your files are owned by Apache, any user that can break into your server through Apache will be able to change those files (i.e., deface your website).
Why wrong? Concerning webdav, how would you get write acces for users to write to directories?
Well, that is not the use case presented by the OP:
On Tue, Sep 15, 2009 at 04:20, Niki Kovacs contact@kikinovak.net wrote:
Let's say I'm using Apache's default configuration for setting up the most simple no-frills web server, e. g. no virtual hosts, only a series of static HTML pages in /var/www/html.
Obviously, if you want to set up Apache to serve WebDAV with write access you will need to set the permissions to the files in a way that Apache is able to write to the files. There are many other cases that might justify that, but that should not be done every time, as much as you should not run "chmod 777" or "kill -9" without thinking about what you are doing and knowing the consequences of those commands.
However, if you are serving files that are not supposed to be modified by Apache or a web application running under it, they should *not* be writable by the Apache user. Making them writable by the Apache user will only increase the potential for damage should your webserver be hacked. But it's good to point that out since that is a very common mistake among beginner (and even more seasoned!) sysadmins.
HTH, Filipe
On Tue, Sep 15, 2009 at 4:20 AM, Niki Kovacs contact@kikinovak.net wrote:
Hi,
Q: what permissions should I define for these pages?
I'd say, the most restrictive permissions possible, that still allow your web application to function. I'm a bit more security conscious/paranoid than most though.
There are an array of things to consider when you're asking about this sort of thing. 1. Is it a simple server where the person setting things up has the keys to the castle everywhere, or do you have a 'web group' who can only deposit pages, but have no other additional privileges and no root access?
2. Are you hosting static content or dynamic pages?
I remember having setup some web servers on Debian, and the tradition was that everything under /var/www/html (as in this example) was to be owned by user www-data and group www-data.
What's the "tradition" with RHEL/CentOS?
The default in centos is root ownership, with read privs so the web server running as apache can hand them out. This is fine for static content in a basic setup. Some content management systems require that the web server be able to create files, in which case Ralph's recommendation of apache:apache ownership is correct. The downside to this is that if someone compromises that software through a php exploit or bad code, they can make changes since they're operating as the apache user.
I would suggest that you mix the two ideologies as much as possible. Have root own everything that doesn't change, and display it with 644 permissions. Then let the apache user own the dynamic content areas.
The whole idea is to assume that at some point, someone *is* going to get in, and you need to plan to minimize the impact when they do. By planning things out in this way, you can keep your system much more secure, and prevent nearly all break-ins before they occur.
Jim Perrin a écrit :
- Are you hosting static content or dynamic pages?
Both and neither :o)
I'm a system administrator for a series of public libraries here, and hosting several dynamic sites on a dedicated server (running CentOS). I'm just in one of my documentation phases, where I have some time to spend on an ununsed machine, so I'm reading some docs and work through them, back to basics.
Niki
-
Brian Mathis -
Filipe Brandenburger -
Jim Perrin -
Les Mikesell -
Niki Kovacs -
Olaf Mueller -
Ralph Angenendt