httpd user and user directory permissions dilemna
[EMAIL PROTECTED] [EMAIL PROTECTED]:
I am running Apache 1.3.26 on Debian 3.0r1 (Woody). I would like to
enable user ~/public_html directories, but have two security goals which
I cannot solve simultaneously:
1. Apache should run as the user when reading user pages and running
user CGI scripts.
2. User home directories should not allow group or world access.
Using the default Debian configuration, placing content into
/home/dpchrist/public_html and browsing to
http://192.168.254.2/~dpchrist/ works just fine. Enabling per-user
~/public_html/cgi-bin directories in httpd.conf and invoking whoami
from a CGI script in /home/dpchrist/public_html/cgi-bin reports
dpchrist, confirming that goal #1 is met (I'm not sure of the
mechanics, but assume that Apache is making seteuid() and setegid()
system calls at some point before processing the CGI script). However,
the default Debian home directory permissions are 755, failing goal #2.
When I change my home directory permissions to 700 to meet goal #2,
Apache fails with Forbidden You don't have permission to access
/~dpchrist/ on this server. Apache/1.3.26 Server at 192.168.254.2 Port
80.
I don't understand why Apache cannot access my files and folders when
running as my userid. Does anybody know the explanation?
Does anyone know how to meet both goals simultaneously?
TIA,
David
[EMAIL PROTECTED]:~/d3020g/etc/apache# grep -v '^ *#' httpd.conf | grep -v
'^$'
ServerType standalone
ServerRoot /etc/apache
LockFile /var/lock/apache.lock
PidFile /var/run/apache.pid
ScoreBoardFile /var/run/apache.scoreboard
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 100
LoadModule config_log_module /usr/lib/apache/1.3/mod_log_config.so
LoadModule config_log_module /usr/lib/apache/1.3/mod_log_config_ssl.so
LoadModule mime_magic_module /usr/lib/apache/1.3/mod_mime_magic.so
LoadModule mime_module /usr/lib/apache/1.3/mod_mime.so
LoadModule mime_module /usr/lib/apache/1.3/mod_mime_ssl.so
LoadModule negotiation_module /usr/lib/apache/1.3/mod_negotiation.so
LoadModule status_module /usr/lib/apache/1.3/mod_status.so
LoadModule autoindex_module /usr/lib/apache/1.3/mod_autoindex.so
LoadModule dir_module /usr/lib/apache/1.3/mod_dir.so
LoadModule cgi_module /usr/lib/apache/1.3/mod_cgi.so
LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so
LoadModule alias_module /usr/lib/apache/1.3/mod_alias.so
LoadModule rewrite_module /usr/lib/apache/1.3/mod_rewrite.so
LoadModule access_module /usr/lib/apache/1.3/mod_access.so
LoadModule auth_module /usr/lib/apache/1.3/mod_auth.so
LoadModule expires_module /usr/lib/apache/1.3/mod_expires.so
LoadModule unique_id_module /usr/lib/apache/1.3/mod_unique_id.so
LoadModule setenvif_module /usr/lib/apache/1.3/mod_setenvif.so
ExtendedStatus On
Port 80
User www-data
Group www-data
ServerAdmin [EMAIL PROTECTED]
ServerName 192.168.254.2
DocumentRoot /var/www
Directory /
Options SymLinksIfOwnerMatch
AllowOverride None
/Directory
Directory /var/www/
Options Indexes Includes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
/Directory
IfModule mod_userdir.c
UserDir public_html
/IfModule
Directory /home/*/public_html
AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Limit GET POST OPTIONS PROPFIND
Order allow,deny
Allow from all
/Limit
Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK
Order deny,allow
Deny from all
/Limit
/Directory
Directory /home/*/public_html/cgi-bin
Options +ExecCGI
/Directory
IfModule mod_dir.c
DirectoryIndex index.html index.htm index.shtml index.cgi
/IfModule
AccessFileName .htaccess
Files ~ ^\.ht
Order allow,deny
Deny from all
/Files
UseCanonicalName On
TypesConfig /etc/mime.types
DefaultType text/plain
IfModule mod_mime_magic.c
MIMEMagicFile share/magic
/IfModule
HostnameLookups Off
ErrorLog /var/log/apache/error.log
LogLevel warn
LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\
%T %v f
ull
LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\
%P %T d
ebug
LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\
combine
d
LogFormat %h %l %u %t \%r\ %s %b common
LogFormat %{Referer}i - %U referer
LogFormat %{User-agent}i agent
CustomLog /var/log/apache/access.log combined
ServerSignature On
Alias /icons/ /usr/share/apache/icons/
Directory /usr/share/apache/icons
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
/Directory
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
Directory /usr/lib/cgi-bin/
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
/Directory
IfModule mod_autoindex.c
IndexOptions FancyIndexing NameWidth=*
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType
Re: [users@httpd] httpd user and user directory permissions dilemna
On Sun, 2 Nov 2003, David Christensen wrote: [EMAIL PROTECTED] [EMAIL PROTECTED]: I am running Apache 1.3.26 on Debian 3.0r1 (Woody). I would like to enable user ~/public_html directories, but have two security goals which I cannot solve simultaneously: 1. Apache should run as the user when reading user pages and running user CGI scripts. 2. User home directories should not allow group or world access. Neither of these is possible because of the basic limitations of unix security. As you already figured out, you can accomplish part of 1, because suexec can launch cgi scripts as the user. The reading user pages part is impossible, however, and any directory serving web pages must be in some way accessible by the web server, so 2 isn't possible either. Why? Well, under unix, each program must run as a user. To make apache more secure, all request processing and serving is done under a non-root userid (see the User and Group directives). Obviously, a non-root userid can't simply switch to some other userid. Even if you were to run apache as root (not a good move!), this still wouldn't work. Each apache process serves many different requests. If the process were to switch to a non-root userid to serve a specific directory, then it couldn't serve requests for any other directory, because there is no way to get the root permissions back to switch to the new user. You could imagine a server that forked a new process to serve each request, which then exited. But you can also imagine that such a server would be dog-slow. Solutions? Well, there have been a couple different projects that use the new threading ability of apache 2 to allow different pools of threads to be kept around to serve requests under different userids. This wouldn't work for dozens or hundreds of different userids, of course. And none of these projects has anything production ready. See the perchild mpm, which doesn't work. You could do the same thing by running a number of different instances of apache on different ports with different privileges and using a reverse proxy to choose which one gets the requests. Again, this would be rather resource intensive and complicated. The punch-line: you can't do that. CGI scripts can be launched under different userids, but ordinary pages (including php scripts launched as part of the apache process) must use the apache userid. Hence you need to provide world or apache-group read and search access to all the files you want to serve. (That was probably way more than you wanted to know. I should put that into the FAQ so I don't have to repeat it!) Joshua. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
