[CentOS] Using Samba to share Apache web root, securely

Tue Aug 9 15:44:01 UTC 2011
Craig White <craig.white at ttiltd.com>

On Aug 8, 2011, at 11:31 PM, Leonard den Ottolander wrote:

> On Mon, 2011-08-08 at 19:52 -0700, Craig White wrote:
>> mkdir /var/www/html/department_a
>> chown root:department_a /var/www/html/department_a
>> chmod g+ws /var/www/html/department_a
> 
> In which case you probably want to add apache to the department_a group.
> And all users accessing that share of course, although the sgid will
> always set the gid correctly, assuming the user can actually write there
> which is easier to accomplish if they share that group.
> 
> There's probably a way to add apache to that group with a configuration
> on the local machine so it doesn't have to query your ADS/NMB server.
> Not sure about the details but the docs at http://samba.org/samba/docs/
> are invaluable.
----
I'm quite sure that if all the files are owned by the 'department_a' group and 'readable' by user apache as I have indicated, they should be with the given configuration, there's absolutely no need to do any mucking with local users or groups at all.

The reality is that this machine will query AD/NMB server each time a non-local user does anything on this system (read or write) and the only thing that will lighten that load is something like NSCD (good luck with that - not always a great option with samba).

There are two important features of what I proposed...
- sgid means that all files/folders created within will always belong to department_a group
- create mask 664 & directory mask 775 means that each file & directory created - group will always get rw privileges and everyone else (ie user apache) has 'read' privileges.

The only weakness of this theory as I see it, is that there very well may be files - perhaps config files that you wouldn't want anyone to be able to see and you probably will have to have some <Directory> restrictions in Apache's configuration to prevent web users from accessing them.

Craig