On Wed, May 4, 2011 at 12:58 PM, Kenneth Porter shiva@sewingwitch.comwrote:
User apache only needs read access except under special conditions, such as a script that needs to store configuration in a file. And a lot of apps store their state in a DB so they don't need filesystem write access at all.
Set the permissions as strict as possible, so that if an attacker finds a bug in apache, he does as little damage as possible. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thanks for the suggestions Richard and Kenneth. I installed drupal here and it requires user running apache to have write access on filesystem. Otherwise it complains: 'The directory sites/default/files is not writable'. The content editors/developers need write access to theme/pictures folders. So it seems like I can't avoid giving write access to apache user. Any hacks or tips here?
jM.
On 05/04/2011 02:49 PM, Johan Martinez wrote:
On Wed, May 4, 2011 at 12:58 PM, Kenneth Porter <shiva@sewingwitch.com mailto:shiva@sewingwitch.com> wrote:
User apache only needs read access except under special conditions, such as a script that needs to store configuration in a file. And a lot of apps store their state in a DB so they don't need filesystem write access at all. Set the permissions as strict as possible, so that if an attacker finds a bug in apache, he does as little damage as possible. _______________________________________________ CentOS mailing list CentOS@centos.org <mailto:CentOS@centos.org> http://lists.centos.org/mailman/listinfo/centosThanks for the suggestions Richard and Kenneth. I installed drupal here and it requires user running apache to have write access on filesystem. Otherwise it complains: 'The directory sites/default/files is not writable'. The content editors/developers need write access to theme/pictures folders. So it seems like I can't avoid giving write access to apache user. Any hacks or tips here?
You may not need it in this case, but you can set up your mount using acls, then use setfacl to assign more than just one group or user to have permissions on a directory. You can keep that in mind if httpd gets upset about having a different group than apache.
http://computernetworkingnotes.com/rhce_certification/acl.htm
Johan Martinez wrote on Wed, 4 May 2011 14:49:52 -0500:
Thanks for the suggestions Richard and Kenneth. I installed drupal here and it requires user running apache to have write access on filesystem.
Assuming you are running mod_php and safe_mode: that is probably because of PHP safe_mode. You didn't tell you were going to write to that area with drupal. That's a completely different picture then! You really have to give the complete picture.
In PHP safe_mode you can: a) have all php files and the write area owned by apache b) have all php files owned by a user and the write area writable by apache but owned by the user (*) c) have all php files owned by the user, group-owned by apache and the write -area group-owned by apache and owned by the user and use safe_mode_gid instead of safe_mode.
(*) this doesn't work if you create subdirectories because they get the wrong permissions and apache can't pass thru
I think the most-used scenario is b). You will have to do some research to see what fits your setup best. (php.net/safe_mode). Also note that safe_mode is discouraged "officially" now since it isn't 100% reliable. However, I strongly advise using it if possible as long as it is available.
Kai
On Wednesday, May 04, 2011 10:49 PM +0200 Kai Schaetzl maillists@conactive.com wrote:
b) have all php files owned by a user and the write area writable by apache but owned by the user (*)
(*) this doesn't work if you create subdirectories because they get the wrong permissions and apache can't pass thru
Make the writable directories SGID and any files and subdirectories created there will inherit the group ownership:
Kenneth Porter wrote on Wed, 04 May 2011 14:12:32 -0700:
Make the writable directories SGID and any files and subdirectories created there will inherit the group ownership:
AFAIK, this works on Unix, but not on Linux. On Linux you have to use ACLs, as Johnny already pointed to.
Kai
On Thu, May 05, 2011 at 12:31:15AM +0200, Kai Schaetzl wrote:
Kenneth Porter wrote on Wed, 04 May 2011 14:12:32 -0700:
Make the writable directories SGID and any files and subdirectories created there will inherit the group ownership:
AFAIK, this works on Unix, but not on Linux. On Linux you have to use ACLs, as
It works on Linux.
$ id -a uid=500(sweh) gid=500(sweh) groups=0(root),500(sweh),501(vboxusers) $ ls -ld . drwxr-sr-x 2 sweh bin 4096 May 4 18:33 ./ $ ls -l hmmm /bin/ls: hmmm: No such file or directory $ touch hmmm $ ls -ld hmmm -rw-r--r-- 1 sweh bin 0 May 4 18:33 hmmm
So the file I just created is in group bin even though I am not in that group.
On 05/04/2011 12:49 PM, Johan Martinez wrote:
Thanks for the suggestions Richard and Kenneth. I installed drupal here and it requires user running apache to have write access on filesystem. Otherwise it complains: 'The directory sites/default/files is not writable'. The content editors/developers need write access to theme/pictures folders. So it seems like I can't avoid giving write access to apache user. Any hacks or tips here?
Tip 1: Your files and directories can have different permissions. Rather than your original setup, try:
chown -R apache:contenteditors /var/www/html find /var/www/html -type f -exec chmod 0464 {} + find /var/www/html -type d -exec chmod 2575 {} +
or:
chown -R apache:apache /var/www/html find /var/www/html -type f -exec setfacl -m g:contenteditors:rw {} + find /var/www/html -type d -exec setfacl -m g:contenteditors:rwx {} +
Tip 2: Don't install drupal in /var/www/html. Generally, /var/www/html should be used only for static content. Web applications should be installed outside the document root to prevent a misconfiguration from allowing remote clients from downloading files that might contain configurations, passwords, or other sensitive information. See the rpm packaged drupal for an example of how this is done.
Tip 3: If your application says that it needs write access to "sites/default/files", then add write access only for that directory.
On Wed, May 4, 2011 at 7:38 PM, Gordon Messmer yinyang@eburg.com wrote:
On 05/04/2011 12:49 PM, Johan Martinez wrote:
Thanks for the suggestions Richard and Kenneth. I installed drupal here and it requires user running apache to have write access on filesystem. Otherwise it complains: 'The directory sites/default/files is not writable'. The content editors/developers need write access to theme/pictures folders. So it seems like I can't avoid giving write access to apache user. Any hacks or tips here?
Tip 1: Your files and directories can have different permissions. Rather than your original setup, try:
chown -R apache:contenteditors /var/www/html find /var/www/html -type f -exec chmod 0464 {} + find /var/www/html -type d -exec chmod 2575 {} +
or:
chown -R apache:apache /var/www/html find /var/www/html -type f -exec setfacl -m g:contenteditors:rw {} + find /var/www/html -type d -exec setfacl -m g:contenteditors:rwx {} +
Tip 2: Don't install drupal in /var/www/html. Generally, /var/www/html should be used only for static content. Web applications should be installed outside the document root to prevent a misconfiguration from allowing remote clients from downloading files that might contain configurations, passwords, or other sensitive information. See the rpm packaged drupal for an example of how this is done.
Tip 3: If your application says that it needs write access to "sites/default/files", then add write access only for that directory. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thanks for the suggestions everyone. I am using following config for now.
* Moved drupal install outside document root and used alias for the namespace mapping. * Filesystem ownership: apache:contenteditors * Filesystem permissions: u=rx, g=rwx, group with sticky bit set. Exception of 'sites/default/files' on which apache has write permissions.
jM
-
Gordon Messmer -
Johan Martinez -
Johnny Hughes -
Kai Schaetzl -
Kenneth Porter -
Stephen Harris