Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?

2016-03-10 Thread Christopher Schultz 
Eric,

On 3/9/16 8:44 PM, Eric Covener wrote:
> On Wed, Mar 9, 2016 at 8:40 PM, Francis Roy  
> wrote:
>>  drwxr-x--- username
> 
> 
> If you want to serve out of your home directory, it needs to be
> executable by "other".

Or group-owned by whatever group httpd runs under.

No ownership was previously posted, so it's tough to tell how the
permissions will be applied.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?

2016-03-10 Thread Richard 

> Date: Thursday, March 10, 2016 12:24:23 +
> From: Lester Caine 
>
> On 10/03/16 01:40, Francis Roy wrote:
>> This is a new install of Linux Mint 17.x with the default
>> Apache/2.4.7 (Ubuntu) install at /etc/apache2
>> My websites, plain html and PHP are kept on a different hard-drive.
>> /media/username/Terrabyte/00_Server/htdocs
> 
> Francis ...
> Since security on Linux is a high priority, many of the default
> actions are set up with that in mind.
> When Apache is installed it uses it's own user and group and if the
> demo site is also created this is owned by that. I think Ubuntu uses
> 'www-data' and 'www' so the tidy way of changing your setup is to
> 
> chown -R www-data:www /media/username/Terrabyte/00_Server/htdocs

For security reasons, the documentroot directory and files, and other
server related directories/files (configuration, etc.) should never
be owned or writable by the user or group that the web server runs
under. As appropriate they need to be readable by the web server, but
never owned/writable by its user/group (www-data:www in this context).

The issue is that if the web server's user/group own/can write to the
those directories/files, if someone is able to break through the
server - either an issue with the server or more likely some poorly
written script - they will control those directories/files and be
able to deface the served content and perhaps more with ease, i.e.,
"own" what is served by your web server.

In general, the documentroot directories/files should be owned by
some unprivileged user and (only) readable by "other".

There may be times when it seems necessary to have the web server
have write access to the directories/files, e.g., for content
updates. In such cases, care needs to be given to how this is done to
ensure that security is maintained.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?

2016-03-10 Thread Lester Caine 
On 10/03/16 01:40, Francis Roy wrote:
> This is a new install of Linux Mint 17.x with the default Apache/2.4.7
> (Ubuntu) install at /etc/apache2
> My websites, plain html and PHP are kept on a different hard-drive.
> /media/username/Terrabyte/00_Server/htdocs

Francis ...
Since security on Linux is a high priority, many of the default actions
are set up with that in mind.
When Apache is installed it uses it's own user and group and if the demo
site is also created this is owned by that. I think Ubuntu uses
'www-data' and 'www' so the tidy way of changing your setup is to

chown -R www-data:www /media/username/Terrabyte/00_Server/htdocs

Then the chmod can be locked down again.

Of cause this will be a problem if you want to edit the content of the
htdoc tree since you no longer own them. I have to admit to simply
opening up access on the development machines, but on production sites I
copy the new files over then correct their user/group.

Another way around the 'problem' if you are the only user on the machine
is to edit the User/Group settings in the apache config files. This can
be fun to find, and used to be in apache.conf, but that may simply link
to uid.conf ... each distribution seems to have it's own preferences on
setting this up.

Adding to the jigsaw, the user for a database connection on the same
machine may be different again. All of this is not really an 'icepick',
but makes a lot more sense once one switches off from M$ mode.

-- 
Lester Caine - G8HFL
-
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?

2016-03-09 Thread Francis Roy 

On 16-03-09 09:47 PM, Kurtis Rader wrote:

On Wed, Mar 9, 2016 at 6:38 PM, Francis Roy > wrote:

Thank you that answers my question quite nicely. It's not a giant
flag waving at the internet, but if someone got a hold of my machine
directly, it could provide a small bit of information used in a
general strategy.


Just to be pedantic "they" don't have to get a hold of your machine
directly. If the attacker can install software of their choosing, say by
exploiting a vulnerability in your web server, then that software could
exploit the looser permissions on your home directory. But that is moot
given that you already had to grant the web server access to your home
directory in order to support your requirements. The concern now is
whether user accounts on your machine other than the one running the
apache web server can exploit those looser permissions.


It's my personal, sole-user development machine tucked away behind a 
NAT. I just wanted to be sure that I wasn't doing the equivalent of 
opening up common ports.


By the way, can you recommend a good, practical Linux security forum or 
list? New OS means I have to learn new specifics and tricks.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?

2016-03-09 Thread Wim Lewis 

On Mar 9, 2016, at 6:38 PM, Francis Roy  wrote:
> Thank you that answers my question quite nicely. It's not a giant flag waving 
> at the internet, but if someone got a hold of my machine directly, it could 
> provide a small bit of information used in a general strategy.

Right. It's not automatically unsafe to allow other users to see your mounted 
disks' contents[1], but the casual user's expectation is that user A can't tell 
what files user B has, so the default setup is to disallow that.

But if you *want* to expose some files to other users (in this case, to the 
"_www" user that Apache runs as) then it's reasonable to give them execute (aka 
search) and possibly read permission.




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?

2016-03-09 Thread Kurtis Rader 
On Wed, Mar 9, 2016 at 6:38 PM, Francis Roy 
wrote:
>
> Thank you that answers my question quite nicely. It's not a giant flag
> waving at the internet, but if someone got a hold of my machine directly,
> it could provide a small bit of information used in a general strategy.


Just to be pedantic "they" don't have to get a hold of your machine
directly. If the attacker can install software of their choosing, say by
exploiting a vulnerability in your web server, then that software could
exploit the looser permissions on your home directory. But that is moot
given that you already had to grant the web server access to your home
directory in order to support your requirements. The concern now is whether
user accounts on your machine other than the one running the apache web
server can exploit those looser permissions.

-- 
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank

Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?

2016-03-09 Thread Francis Roy 

On 16-03-09 09:29 PM, Kurtis Rader wrote:

On Wed, Mar 9, 2016 at 6:17 PM, Francis Roy

Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?

2016-03-09 Thread Kurtis Rader 
On Wed, Mar 9, 2016 at 6:17 PM, Francis Roy 
wrote:

> On 16-03-09 08:44 PM, Eric Covener wrote:
>
>> If you want to serve out of your home directory, it needs to be
>> executable by "other".
>>
>
> Thank you, Eric and Kurtis, both. That was the problem.
>
> I did the following:
>sudo chmod 755 /home/username
>
> If I may, a follow-up question: does this create a potential security
> vulnerability on my machine that I should find measures of protecting?


Probably not but it's not the sort of question anyone can answer without
spending a few days reviewing your situation. The reason most UNIX distros
create the home directory for a user with mode 750 (no public access) is to
make it impossible for other accounts on the machine, which aren't a member
of your primary group, to guess whether a file is present by exploiting the
search capability. In other words, if you've done "chmod 751" then even if
I'm not a member of the group that owns your home directory I can execute
"ls /media/username/$filename" commands (or equivalent) to probe whether
$filename exists. It's a potential information leak that could
theoretically be used to launch an attack. Whether that's a concern for you
depends on a lot of factors.

-- 
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank

Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?

2016-03-09 Thread Francis Roy 

On 16-03-09 08:44 PM, Eric Covener wrote:

If you want to serve out of your home directory, it needs to be
executable by "other".


Thank you, Eric and Kurtis, both. That was the problem.

I did the following:
   sudo chmod 755 /home/username


If I may, a follow-up question: does this create a potential security 
vulnerability on my machine that I should find measures of protecting?



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?

2016-03-09 Thread Eric Covener 
On Wed, Mar 9, 2016 at 8:40 PM, Francis Roy  wrote:
>  drwxr-x--- username


If you want to serve out of your home directory, it needs to be
executable by "other".

-- 
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?

2016-03-09 Thread Kurtis Rader 
If we take the error message at face value this part of it, "because search
permissions are missing", is relevant. In the UNIX filesystem permission
model the "file" permissions mean the following when applied to a directory:

read: The process can read the contents of the directory; i.e., enumerate
all the file/directory names contained within it. The "ls" command, for
example, requires read access to list the contents of a directory.

write: The process can modify the contents of the directory; i.e., create
and remove files in the directory.

execute: The process can search the directory; i.e., if it knows the name
of a file or subdirectory it can access it.

What that error is telling you is that the user ID that Apache is running
as does not have the ability to "search" one of the directories in the path
to the file. This means that either the public execute bit is not set, or
the group execute but is not set or if set apache is not a member of that
group, or the user execute bit is not set or if set apache is not running
as that user.

-- 
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank