Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?
Eric, On 3/9/16 8:44 PM, Eric Covener wrote: > On Wed, Mar 9, 2016 at 8:40 PM, Francis Roy> wrote: >> drwxr-x--- username > > > If you want to serve out of your home directory, it needs to be > executable by "other". Or group-owned by whatever group httpd runs under. No ownership was previously posted, so it's tough to tell how the permissions will be applied. -chris - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?
> Date: Thursday, March 10, 2016 12:24:23 + > From: Lester Caine> > On 10/03/16 01:40, Francis Roy wrote: >> This is a new install of Linux Mint 17.x with the default >> Apache/2.4.7 (Ubuntu) install at /etc/apache2 >> My websites, plain html and PHP are kept on a different hard-drive. >> /media/username/Terrabyte/00_Server/htdocs > > Francis ... > Since security on Linux is a high priority, many of the default > actions are set up with that in mind. > When Apache is installed it uses it's own user and group and if the > demo site is also created this is owned by that. I think Ubuntu uses > 'www-data' and 'www' so the tidy way of changing your setup is to > > chown -R www-data:www /media/username/Terrabyte/00_Server/htdocs For security reasons, the documentroot directory and files, and other server related directories/files (configuration, etc.) should never be owned or writable by the user or group that the web server runs under. As appropriate they need to be readable by the web server, but never owned/writable by its user/group (www-data:www in this context). The issue is that if the web server's user/group own/can write to the those directories/files, if someone is able to break through the server - either an issue with the server or more likely some poorly written script - they will control those directories/files and be able to deface the served content and perhaps more with ease, i.e., "own" what is served by your web server. In general, the documentroot directories/files should be owned by some unprivileged user and (only) readable by "other". There may be times when it seems necessary to have the web server have write access to the directories/files, e.g., for content updates. In such cases, care needs to be given to how this is done to ensure that security is maintained. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?
On 10/03/16 01:40, Francis Roy wrote: > This is a new install of Linux Mint 17.x with the default Apache/2.4.7 > (Ubuntu) install at /etc/apache2 > My websites, plain html and PHP are kept on a different hard-drive. > /media/username/Terrabyte/00_Server/htdocs Francis ... Since security on Linux is a high priority, many of the default actions are set up with that in mind. When Apache is installed it uses it's own user and group and if the demo site is also created this is owned by that. I think Ubuntu uses 'www-data' and 'www' so the tidy way of changing your setup is to chown -R www-data:www /media/username/Terrabyte/00_Server/htdocs Then the chmod can be locked down again. Of cause this will be a problem if you want to edit the content of the htdoc tree since you no longer own them. I have to admit to simply opening up access on the development machines, but on production sites I copy the new files over then correct their user/group. Another way around the 'problem' if you are the only user on the machine is to edit the User/Group settings in the apache config files. This can be fun to find, and used to be in apache.conf, but that may simply link to uid.conf ... each distribution seems to have it's own preferences on setting this up. Adding to the jigsaw, the user for a database connection on the same machine may be different again. All of this is not really an 'icepick', but makes a lot more sense once one switches off from M$ mode. -- Lester Caine - G8HFL - Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?
On 16-03-09 09:47 PM, Kurtis Rader wrote: On Wed, Mar 9, 2016 at 6:38 PM, Francis Roy> wrote: Thank you that answers my question quite nicely. It's not a giant flag waving at the internet, but if someone got a hold of my machine directly, it could provide a small bit of information used in a general strategy. Just to be pedantic "they" don't have to get a hold of your machine directly. If the attacker can install software of their choosing, say by exploiting a vulnerability in your web server, then that software could exploit the looser permissions on your home directory. But that is moot given that you already had to grant the web server access to your home directory in order to support your requirements. The concern now is whether user accounts on your machine other than the one running the apache web server can exploit those looser permissions. It's my personal, sole-user development machine tucked away behind a NAT. I just wanted to be sure that I wasn't doing the equivalent of opening up common ports. By the way, can you recommend a good, practical Linux security forum or list? New OS means I have to learn new specifics and tricks. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?
On Mar 9, 2016, at 6:38 PM, Francis Roywrote: > Thank you that answers my question quite nicely. It's not a giant flag waving > at the internet, but if someone got a hold of my machine directly, it could > provide a small bit of information used in a general strategy. Right. It's not automatically unsafe to allow other users to see your mounted disks' contents[1], but the casual user's expectation is that user A can't tell what files user B has, so the default setup is to disallow that. But if you *want* to expose some files to other users (in this case, to the "_www" user that Apache runs as) then it's reasonable to give them execute (aka search) and possibly read permission. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?
On Wed, Mar 9, 2016 at 6:38 PM, Francis Roywrote: > > Thank you that answers my question quite nicely. It's not a giant flag > waving at the internet, but if someone got a hold of my machine directly, > it could provide a small bit of information used in a general strategy. Just to be pedantic "they" don't have to get a hold of your machine directly. If the attacker can install software of their choosing, say by exploiting a vulnerability in your web server, then that software could exploit the looser permissions on your home directory. But that is moot given that you already had to grant the web server access to your home directory in order to support your requirements. The concern now is whether user accounts on your machine other than the one running the apache web server can exploit those looser permissions. -- Kurtis Rader Caretaker of the exceptional canines Junior and Hank
Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?
On 16-03-09 09:29 PM, Kurtis Rader wrote: On Wed, Mar 9, 2016 at 6:17 PM, Francis Roy
Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?
On Wed, Mar 9, 2016 at 6:17 PM, Francis Roywrote: > On 16-03-09 08:44 PM, Eric Covener wrote: > >> If you want to serve out of your home directory, it needs to be >> executable by "other". >> > > Thank you, Eric and Kurtis, both. That was the problem. > > I did the following: >sudo chmod 755 /home/username > > If I may, a follow-up question: does this create a potential security > vulnerability on my machine that I should find measures of protecting? Probably not but it's not the sort of question anyone can answer without spending a few days reviewing your situation. The reason most UNIX distros create the home directory for a user with mode 750 (no public access) is to make it impossible for other accounts on the machine, which aren't a member of your primary group, to guess whether a file is present by exploiting the search capability. In other words, if you've done "chmod 751" then even if I'm not a member of the group that owns your home directory I can execute "ls /media/username/$filename" commands (or equivalent) to probe whether $filename exists. It's a potential information leak that could theoretically be used to launch an attack. Whether that's a concern for you depends on a lot of factors. -- Kurtis Rader Caretaker of the exceptional canines Junior and Hank
Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?
On 16-03-09 08:44 PM, Eric Covener wrote: If you want to serve out of your home directory, it needs to be executable by "other". Thank you, Eric and Kurtis, both. That was the problem. I did the following: sudo chmod 755 /home/username If I may, a follow-up question: does this create a potential security vulnerability on my machine that I should find measures of protecting? - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?
On Wed, Mar 9, 2016 at 8:40 PM, Francis Roywrote: > drwxr-x--- username If you want to serve out of your home directory, it needs to be executable by "other". -- Eric Covener cove...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?
If we take the error message at face value this part of it, "because search permissions are missing", is relevant. In the UNIX filesystem permission model the "file" permissions mean the following when applied to a directory: read: The process can read the contents of the directory; i.e., enumerate all the file/directory names contained within it. The "ls" command, for example, requires read access to list the contents of a directory. write: The process can modify the contents of the directory; i.e., create and remove files in the directory. execute: The process can search the directory; i.e., if it knows the name of a file or subdirectory it can access it. What that error is telling you is that the user ID that Apache is running as does not have the ability to "search" one of the directories in the path to the file. This means that either the public execute bit is not set, or the group execute but is not set or if set apache is not a member of that group, or the user execute bit is not set or if set apache is not running as that user. -- Kurtis Rader Caretaker of the exceptional canines Junior and Hank