httpd user and user directory permissions dilemna
[EMAIL PROTECTED] [EMAIL PROTECTED]: I am running Apache 1.3.26 on Debian 3.0r1 (Woody). I would like to enable user ~/public_html directories, but have two security goals which I cannot solve simultaneously: 1. Apache should run as the user when reading user pages and running user CGI scripts. 2. User home directories should not allow group or world access. Using the default Debian configuration, placing content into /home/dpchrist/public_html and browsing to http://192.168.254.2/~dpchrist/ works just fine. Enabling per-user ~/public_html/cgi-bin directories in httpd.conf and invoking whoami from a CGI script in /home/dpchrist/public_html/cgi-bin reports dpchrist, confirming that goal #1 is met (I'm not sure of the mechanics, but assume that Apache is making seteuid() and setegid() system calls at some point before processing the CGI script). However, the default Debian home directory permissions are 755, failing goal #2. When I change my home directory permissions to 700 to meet goal #2, Apache fails with Forbidden You don't have permission to access /~dpchrist/ on this server. Apache/1.3.26 Server at 192.168.254.2 Port 80. I don't understand why Apache cannot access my files and folders when running as my userid. Does anybody know the explanation? Does anyone know how to meet both goals simultaneously? TIA, David [EMAIL PROTECTED]:~/d3020g/etc/apache# grep -v '^ *#' httpd.conf | grep -v '^$' ServerType standalone ServerRoot /etc/apache LockFile /var/lock/apache.lock PidFile /var/run/apache.pid ScoreBoardFile /var/run/apache.scoreboard Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 15 MinSpareServers 5 MaxSpareServers 10 StartServers 5 MaxClients 150 MaxRequestsPerChild 100 LoadModule config_log_module /usr/lib/apache/1.3/mod_log_config.so LoadModule config_log_module /usr/lib/apache/1.3/mod_log_config_ssl.so LoadModule mime_magic_module /usr/lib/apache/1.3/mod_mime_magic.so LoadModule mime_module /usr/lib/apache/1.3/mod_mime.so LoadModule mime_module /usr/lib/apache/1.3/mod_mime_ssl.so LoadModule negotiation_module /usr/lib/apache/1.3/mod_negotiation.so LoadModule status_module /usr/lib/apache/1.3/mod_status.so LoadModule autoindex_module /usr/lib/apache/1.3/mod_autoindex.so LoadModule dir_module /usr/lib/apache/1.3/mod_dir.so LoadModule cgi_module /usr/lib/apache/1.3/mod_cgi.so LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so LoadModule alias_module /usr/lib/apache/1.3/mod_alias.so LoadModule rewrite_module /usr/lib/apache/1.3/mod_rewrite.so LoadModule access_module /usr/lib/apache/1.3/mod_access.so LoadModule auth_module /usr/lib/apache/1.3/mod_auth.so LoadModule expires_module /usr/lib/apache/1.3/mod_expires.so LoadModule unique_id_module /usr/lib/apache/1.3/mod_unique_id.so LoadModule setenvif_module /usr/lib/apache/1.3/mod_setenvif.so ExtendedStatus On Port 80 User www-data Group www-data ServerAdmin [EMAIL PROTECTED] ServerName 192.168.254.2 DocumentRoot /var/www Directory / Options SymLinksIfOwnerMatch AllowOverride None /Directory Directory /var/www/ Options Indexes Includes FollowSymLinks MultiViews AllowOverride None Order allow,deny Allow from all /Directory IfModule mod_userdir.c UserDir public_html /IfModule Directory /home/*/public_html AllowOverride FileInfo AuthConfig Limit Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Limit GET POST OPTIONS PROPFIND Order allow,deny Allow from all /Limit Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK Order deny,allow Deny from all /Limit /Directory Directory /home/*/public_html/cgi-bin Options +ExecCGI /Directory IfModule mod_dir.c DirectoryIndex index.html index.htm index.shtml index.cgi /IfModule AccessFileName .htaccess Files ~ ^\.ht Order allow,deny Deny from all /Files UseCanonicalName On TypesConfig /etc/mime.types DefaultType text/plain IfModule mod_mime_magic.c MIMEMagicFile share/magic /IfModule HostnameLookups Off ErrorLog /var/log/apache/error.log LogLevel warn LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\ %T %v f ull LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\ %P %T d ebug LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\ combine d LogFormat %h %l %u %t \%r\ %s %b common LogFormat %{Referer}i - %U referer LogFormat %{User-agent}i agent CustomLog /var/log/apache/access.log combined ServerSignature On Alias /icons/ /usr/share/apache/icons/ Directory /usr/share/apache/icons Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all /Directory ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ Directory /usr/lib/cgi-bin/ AllowOverride None Options ExecCGI Order allow,deny Allow from all /Directory IfModule mod_autoindex.c IndexOptions FancyIndexing NameWidth=* AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip AddIconByType
Re: [users@httpd] httpd user and user directory permissions dilemna
On Sun, 2 Nov 2003, David Christensen wrote: [EMAIL PROTECTED] [EMAIL PROTECTED]: I am running Apache 1.3.26 on Debian 3.0r1 (Woody). I would like to enable user ~/public_html directories, but have two security goals which I cannot solve simultaneously: 1. Apache should run as the user when reading user pages and running user CGI scripts. 2. User home directories should not allow group or world access. Neither of these is possible because of the basic limitations of unix security. As you already figured out, you can accomplish part of 1, because suexec can launch cgi scripts as the user. The reading user pages part is impossible, however, and any directory serving web pages must be in some way accessible by the web server, so 2 isn't possible either. Why? Well, under unix, each program must run as a user. To make apache more secure, all request processing and serving is done under a non-root userid (see the User and Group directives). Obviously, a non-root userid can't simply switch to some other userid. Even if you were to run apache as root (not a good move!), this still wouldn't work. Each apache process serves many different requests. If the process were to switch to a non-root userid to serve a specific directory, then it couldn't serve requests for any other directory, because there is no way to get the root permissions back to switch to the new user. You could imagine a server that forked a new process to serve each request, which then exited. But you can also imagine that such a server would be dog-slow. Solutions? Well, there have been a couple different projects that use the new threading ability of apache 2 to allow different pools of threads to be kept around to serve requests under different userids. This wouldn't work for dozens or hundreds of different userids, of course. And none of these projects has anything production ready. See the perchild mpm, which doesn't work. You could do the same thing by running a number of different instances of apache on different ports with different privileges and using a reverse proxy to choose which one gets the requests. Again, this would be rather resource intensive and complicated. The punch-line: you can't do that. CGI scripts can be launched under different userids, but ordinary pages (including php scripts launched as part of the apache process) must use the apache userid. Hence you need to provide world or apache-group read and search access to all the files you want to serve. (That was probably way more than you wanted to know. I should put that into the FAQ so I don't have to repeat it!) Joshua. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]