I have user:nobody and group:nogroup set for apache in httpd.conf.
Since I also use my own user to manage files on ssh through Samba, I would like to have access to the www folder for read/write, and also allow apache to read these files.
Some folders should have apache's write permissions.
Should I leave apache as nobody|nogroup?
I was thinking I should set my own user under a group called say "webadmins" and set apache a new user called say "apache" under the same group. Then allow the group to read from all files, but only my user will have write files. Whenever apache would need a write permission inside a folder, I would manually change that. Is this a fair enough approach or am I missing something?
Thanks!
usually any daemon will need to access a number of ressources.
it is therefore good practice to run each daemon under a special user:group, rather than nobody:nogroup.
traditionally (e.g. on Debian systems) apache runs as www-data:www-data.
finally, user permissions take precedence over group permissions (which in turn take precedence over other permissions).
this means that a directory where the user does not have write perms but the user's group can write is effectively r/o for that user (but not for other members of the group)
Related
I need to allow my local webserver (localhost) to read and write the /etc/network/interfaces file on a linux system (ubuntu).
The data manipulation of the file is done, I just need to know the best way of granting www-data the permission to do it.
I guess I could first log in as root and set permission for all to edit the file (not a big security risk since it is a mediaplayer and won't be accessed by any other user).
I could also do some nifty grouping of the user, I guess... not so seasoned with these linux things.
Anyone have a good suggestion, or input on why my suggested method is bad?
I don't know why would you want to do this, but generally groups are handy for this:
You create a new group, for example networking
then you change the group of the file to this new group (and check that it has g+rw permission)
finally you add www-data user to the networking group.
(And possibly relog, since permissions are often cached; this may not be needed for www-data)
I have a perl server which needs the ability to read user's files and data, and write to them. The users are authenticated via LDAP, so I can verify passwords and learn their home directory.
From here I need some way for this webserver (running as www-data) to access their files. I've thought about running every command through su/sudo but that's really not optimal when I just need to open/write/close/glob files in their home directories.
Is there standard practice for this? I haven't been able to turn up anything so far.
Notes
I want the files in their home directory, as the users will be SSHing in and running other commands on them that won't be available via the web
The web connection is made over HTTPS of course.
Related
How to successfully run Perl script with setuid() when used as cgi-bin?
You might want to reconsider your architecture. This sounds like a job for virtual hosts in an ISP-like configuration.
First, read "Dynamically configured mass virtual hosting" page in the Apache VirtualHost documentation. Then read about how to run each virtual host as a different user
Under this approach you would have a vhost for each user running as $user.example.com; when Apache forks off a worker for the vhost, the fork runs suid as the appropriate user. Then you set up docroot and scriptalias for the vhost which point to the site code.
Long story short, it's probably better to use Apache's (well-tested and well-documented) features for managing user identity than it is to do it in Perl or whip up your own suid wrapper. It's notoriously difficult to get it right.
Are you running Apache? This sounds like a job for WebDAV.
The trouble is that your web server is running as www-data. By design, it won't be able to change the owner of any file. Some other privileged process will need to change ownership on the webserver's behalf.
You could write a minimal set UID script to handle changing the ownership of files and deleting them, but this path is fraught with peril (especially if you've never written a setUID program before.)
I'm using WordPress and I want files created by WordPress to have the user of the file that created them, not the user the web server is running as. For example, my WordPress files and directories are owned by philip in the group www-data. When WordPress creates a file, I want the owner of the file to be philip and not www-data.
Is this possible? My suspicion is it can be achieve with setuid or sticky bit, but I'm not sure how to apply it.
Not without a lot of extra effort. From what you're describing, it sounds like you're probably running PHP using mod_php or something similar; that will always run within the web server, as the web server user. setuid/setgid only work when there's a new process being executed, which isn't the case here.
You can work around this by running PHP using CGI or FastCGI (which'll let you run all PHP scripts as your own user), but that's a lot of extra setup that you probably don't want to get into.
If you don't want the group to have access, you could use the sticky bit to set g-rwx. The problem with setgid (you asked to change the group, not the user), is that the user running the command must have privileges to assign that group. If you don't want the webserver (i.e. www-data) to have access, then you probably don't want to change the gid to any group that it has access to. Otherwise, you'll need to have some other process with other privileges come along and make this change for the web server, via cron or some other scheduler.
I'd like to edit Solr configuration files on my linux box via a samba share. The files need to be tomcat6:mygroup, but when I edit the files via windows, it writes them as myuser:mygroup. Is it possible to change the write settings for a single samba share so it preserves the existing user, group and permissions?
Is this something that can be done via Samba configuration, or is something trickier needed?
You should include an appropriate force user statement into your smb.conf. I'm assuming your Samba share's name is smbshare:
[smbshare]
....
force user = tomcat6
....
You can find out more details via man smb.conf. The important points are: tomcat6 needs to be a user on the system. Your connection to the [smbshare] needs to take place with valid user credentials. Once connected all file operations will be performed under the credentials of tomcat6 though. (You don't seem to want an additional setting of force user = ..., which is also possible....)
Update: You said you wanted to "preserve the existing user, group and permissions". Note, that my suggestion doesn't do that. It forces all edited files to be owned by tomcat6:mygroup instead of preserving the original settings. Maybe this is good enough for your purpose.
I have setup an SVN repository for use with Apache 2 via svnadmin create command and appropriate vhost configuration. I found that, in order to correctly use the repository, this must be owned by wwwrun user (or www group) or chmodded to 777.
I would like to ask if it's possible to explicitly tell Apache to impersonate another user when serving requests to a certain path (from vhost.conf), like with suphp extension, so I won't mess with permissions once I create a repository.
Thank you in advance
To impersonate another user, apache would need to have elevated privileges - this would miss the point of running apache with limited rights (as use wwwrun in your example) in the first place. Therefore, pick one of the following
Run apache as root (dangerous, since a compromised apache will compromise your entire system)
Make wwwrun member of the svnrepo group that you give access to your repository to
Create a suid binary and a corresponding apache module to allow apache to impersonate (very complicated, easy to mess up - that's how suphp does it)
Change the permissions of the repository itself to allow everybody, wwwrun, or the www group.
Quite frankly, I don't see the problem you're having with the second or last option. Why can't you allow wwwrun to access your svn repository?