Re: Users, groups, rights and apache please advice

2003-10-08 Thread Kevin B. McCarty 
> I got the following situation:
> A server (debian stable) running a number of domains 
> For each domain I've create a group, and everybody that has
> something to do with this domain is in that group
> I want everybody in the group to be able to change the website of
> that domain, and everybody who's not in that group shouldn't even be
> able to read the files (because of plain text database passwords that
> can often be found in files like db.php)
> So I use a umask of 007, everything looks good so far
> However Apache doesn't quite like it, Apache can't read the files
> (obviously) and the Group directive works only for CGI :-( (within a
> virtualhost)

Hi,
Perhaps the following would work?  Set /usr/sbin/apache to be run as user
www-data (this user should exist by default in a Debian installation), 
then add the www-data user to all of the appropriate domain groups?

For instance, in /etc/init.d/apache, add the flag "--chuid www-data" to
all of the invocations of "start-stop-daemon --start".  Or you could use
"dpkg-statoverride --update --add www-data www-data 4755 /usr/sbin/apache"  
to accomplish essentially the same thing.  Then the relevant lines in 
/etc/group should be made to look something like this:

domain1:x:1000:user1,user2,www-data
domain2:x:1001:user3,user4,www-data
[etc.]

This will also require you to change the ownership of apache's log
directory so it can still write there, and maybe other things as well.  I
have not tested any of this, so caveat emptor!

Of course, realize that if your offending database files (db.php) are
included within the domain directories, if apache can read them then so
can anyone on the Web who happens to type the right URL to reach them.

-- 
Kevin McCartyPhysics Department
[EMAIL PROTECTED]   Princeton University
www.princeton.edu/~kmccarty  Princeton, NJ 08544

Re: Users, groups, rights and apache please advice

2003-10-08 Thread Brian May 
On Wed, Oct 08, 2003 at 11:50:01AM +0200, Ron Rademaker wrote:
> I got the following situation:
> A server (debian stable) running a number of domains 
> For each domain I've create a group, and everybody that has
> something to do with this domain is in that group
> I want everybody in the group to be able to change the website of
> that domain, and everybody who's not in that group shouldn't even be
> able to read the files (because of plain text database passwords that
> can often be found in files like db.php)
> So I use a umask of 007, everything looks good so far
> However Apache doesn't quite like it, Apache can't read the files
> (obviously) and the Group directive works only for CGI :-( (within a
> virtualhost)

Another solution would be to use ACL (access control lists).

That way you can give www-data read-only access to the
files, but anyone in the group can write to the files.

That way, if anybody compromises apache, the most an attacker
could do is read any web file, but not write to them.
-- 
Brian May <[EMAIL PROTECTED]>

RE: Users, groups, rights and apache please advice

2003-10-09 Thread Ron Rademaker 
I've already used the other solution (make www-data member of the
groups) and it works fine (I want www-data to be able to write in some
situations). 
BTW I just noticed I've send this mail to debian-devel, I meant to send
it to debian-user, my apologies to anyone who felt the least bit annoyed
by yet another user who doesn't know where to go for help.

-Original Message-
From: Brian May [mailto:[EMAIL PROTECTED] 
Sent: 09 October 2003 03:21
To: Ron Rademaker
Cc: debian-devel@lists.debian.org
Subject: Re: Users, groups, rights and apache please advice


On Wed, Oct 08, 2003 at 11:50:01AM +0200, Ron Rademaker wrote:
> I got the following situation:
> A server (debian stable) running a number of domains 
> For each domain I've create a group, and everybody that has 
> something to do with this domain is in that group
> I want everybody in the group to be able to change the website of 
> that domain, and everybody who's not in that group shouldn't even be 
> able to read the files (because of plain text database passwords that 
> can often be found in files like db.php)
> So I use a umask of 007, everything looks good so far
> However Apache doesn't quite like it, Apache can't read the files
> (obviously) and the Group directive works only for CGI :-( (within a
> virtualhost)

Another solution would be to use ACL (access control lists).

That way you can give www-data read-only access to the
files, but anyone in the group can write to the files.

That way, if anybody compromises apache, the most an attacker could do
is read any web file, but not write to them.
-- 
Brian May <[EMAIL PROTECTED]>

Re: Users, groups, rights and apache please advice

2003-10-09 Thread Thomas -Balu- Walter 
On Thu, Oct 09, 2003 at 11:43:18AM +0200, Ron Rademaker wrote:
> I've already used the other solution (make www-data member of the
> groups) and it works fine (I want www-data to be able to write in some
> situations). 
> BTW I just noticed I've send this mail to debian-devel, I meant to send
> it to debian-user, my apologies to anyone who felt the least bit annoyed
> by yet another user who doesn't know where to go for help.

IIRC maximum number is limited to 32 groups for a single user. Just in
case you are going to add more :)

 Balu

Re: Users, groups, rights and apache please advice

2003-10-09 Thread Brian May 
On Thu, Oct 09, 2003 at 05:01:31PM +0200, Thomas -Balu- Walter wrote:
> IIRC maximum number is limited to 32 groups for a single user. Just in
> case you are going to add more :)

What happens if you exceed this limit?
-- 
Brian May <[EMAIL PROTECTED]>

RE: Users, groups, rights and apache please advice

2003-10-10 Thread Ron Rademaker 
Hmm... I don't like that, well I'll look into ACL then

-Original Message-
From: Thomas -Balu- Walter [mailto:[EMAIL PROTECTED] 
Sent: 09 October 2003 16:02
To: Ron Rademaker
Cc: debian-devel@lists.debian.org
Subject: Re: Users, groups, rights and apache please advice


On Thu, Oct 09, 2003 at 11:43:18AM +0200, Ron Rademaker wrote:
> I've already used the other solution (make www-data member of the
> groups) and it works fine (I want www-data to be able to write in some

> situations). BTW I just noticed I've send this mail to debian-devel, I

> meant to send it to debian-user, my apologies to anyone who felt the 
> least bit annoyed by yet another user who doesn't know where to go for

> help.

IIRC maximum number is limited to 32 groups for a single user. Just in
case you are going to add more :)

 Balu

Re: Users, groups, rights and apache please advice

2003-11-20 Thread Rick Moen 
Quoting Brian May ([EMAIL PROTECTED]):
> On Thu, Oct 09, 2003 at 05:01:31PM +0200, Thomas -Balu- Walter wrote:
> > IIRC maximum number is limited to 32 groups for a single user. Just in
> > case you are going to add more :)
> 
> What happens if you exceed this limit?

We encountered this at $FIRM, a lamentable proprietary software concern
that was formerly a fairly decent Linux hardware company.  The 32-user
limit was at the time embedded in both the 2.4.x kernel series and in
glibc.  Attempts to assign group memberships beyond that number just
don't work.

I know that it was being removed from the 2.5.41 kernel code, last year,
in anticipation of its removal from glibc.  I don't know if the glibc 
people caught up with that, or not.

Note:  There are complications for NFS and NIS if group size gets big.
(One might argue that POSIX ACLs are a better solution?)

-- 
Cheers, * Contributing Editor, Linux Gazette *
Rick Moen   -*- See the Linux Gazette in its new home: -*-
[EMAIL PROTECTED]