RE: [EMAIL PROTECTED] Question on permissions
>Is there a way to dump to screen the apache "environment stuff" to what exactly apache sees? I looked at the man pages for apache2 and apache2ctl searching for 'environment' ... no matches. There is a printenv CGI script which is usually installed by default but not activated by default. Put it in a cgi directory, run it and you see what the environment variables for an Apache request look like. Don't activate it on a production environment by the way, it's a sample script, it's known to be unsafe. Joost
Re: [EMAIL PROTECTED] Question on permissions
... to see what exactly apache sees? Richard Geddes wrote: > U, > > Thanks... restarting or reloading seemed to apply the changes made to > /etc/group file. > > Is there a way to dump to screen the apache "environment stuff" to > what exactly apache sees? I looked at the man pages for apache2 and > apache2ctl searching for 'environment' ... no matches. > > R > > Udo Rader wrote: >> On Tue, 2008-02-26 at 11:08 -0500, Richard Geddes wrote: >> >>> Thanks for the response. >>> >>> I set up a directory under the main DocumentRoot called test >>> >>> drwxr-xr-x 2 rgeddes rgeddes 80 2008-02-18 15:18 test >>> >>> and it appeared in a directory listing in the webpage of my main >>> DocumentRoot. >>> >>> Changed permissions as follows: >>> >>> drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test >>> >>> and test disappears from the webpage (this makes sense) >>> >>> changed group as follows: >>> >>> drwxr-x--- 2 rgeddes www-data 80 2008-02-18 15:18 test >>> >>> and test appears in the webpage (this makes sense) as the servers are >>> running as www-data. >>> >>> Now if I change the group back to: >>> >>> drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test >>> >>> and I add www-data to the rgeddes group in /etc/group, the directory >>> fails to show up. This does not make sense to me as www-data is part >>> of the rgeddes group and rgeddes has r-x permissions. >>> >>> Is there a reason why www-data is not being granted rgeddes group >>> permissions? >>> >> >> restart Apache. Apache, like any other UNIX process "rembers" some basic >> "environmental" stuff, like the (secondary) group membership(s) of the >> user it runs under. >> >> Restarting Apache makes it "refetch" this kind data. >> >>
Re: [EMAIL PROTECTED] Question on permissions
U, Thanks... restarting or reloading seemed to apply the changes made to /etc/group file. Is there a way to dump to screen the apache "environment stuff" to what exactly apache sees? I looked at the man pages for apache2 and apache2ctl searching for 'environment' ... no matches. R Udo Rader wrote: > On Tue, 2008-02-26 at 11:08 -0500, Richard Geddes wrote: > >> Thanks for the response. >> >> I set up a directory under the main DocumentRoot called test >> >> drwxr-xr-x 2 rgeddes rgeddes 80 2008-02-18 15:18 test >> >> and it appeared in a directory listing in the webpage of my main >> DocumentRoot. >> >> Changed permissions as follows: >> >> drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test >> >> and test disappears from the webpage (this makes sense) >> >> changed group as follows: >> >> drwxr-x--- 2 rgeddes www-data 80 2008-02-18 15:18 test >> >> and test appears in the webpage (this makes sense) as the servers are >> running as www-data. >> >> Now if I change the group back to: >> >> drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test >> >> and I add www-data to the rgeddes group in /etc/group, the directory >> fails to show up. This does not make sense to me as www-data is part >> of the rgeddes group and rgeddes has r-x permissions. >> >> Is there a reason why www-data is not being granted rgeddes group >> permissions? >> > > restart Apache. Apache, like any other UNIX process "rembers" some basic > "environmental" stuff, like the (secondary) group membership(s) of the > user it runs under. > > Restarting Apache makes it "refetch" this kind data. > >
Re: [EMAIL PROTECTED] Question on permissions
A Thanks for the input. I found www-data in both the /etc/passwd and /etc/group files, so I assume there is in fact a www-data user and a www-data group. Restarting or reloading the apache server seemed to apply the changes made to the /etc/group file... ie grant the www-data user rgeddes group permissions. R Adam Martin wrote: > > Richard, > > > > I’m new to the group and thought I’d take a crack at this one. Is > www-data a user or group? From the end of your email it sounds like a > user since you added it to the rgeddes group but I am a little > confused when you changed the group from rgeddes to www-data in the > middle of your example. If it is a group then I don’t believe you can > add a group to another group in the /etc/group file. > > > > If it is a user I did a quick test one of our servers to verify but I > don’t believe the adding of a user to a group is dynamic. In order > for the new group assignment to take affect I had to log out and log > in as the test user for the id command to reflect the change. You > didn’t mention it in your email but did you try and restart your > server after adding the www-data user to the rgeddes group? > > > > My apologies if I am misunderstanding your question. > > > > > > *From:* Richard Geddes [mailto:[EMAIL PROTECTED] > *Sent:* Tuesday, February 26, 2008 10:08 AM > *To:* users@httpd.apache.org > *Subject:* Re: [EMAIL PROTECTED] Question on permissions > > > > Thanks for the response. > > I set up a directory under the main DocumentRoot called test > > drwxr-xr-x 2 rgeddes rgeddes 80 2008-02-18 15:18 test > > and it appeared in a directory listing in the webpage of my main > DocumentRoot. > > Changed permissions as follows: > > drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test > > and test disappears from the webpage (this makes sense) > > changed group as follows: > > drwxr-x--- 2 rgeddes www-data 80 2008-02-18 15:18 test > > and test appears in the webpage (this makes sense) as the servers are > running as www-data. > > Now if I change the group back to: > > drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test > > and I add www-data to the rgeddes group in /etc/group, the directory > fails to show up. This does not make sense to me as www-data is part > of the rgeddes group and rgeddes has r-x permissions. > > Is there a reason why www-data is not being granted rgeddes group > permissions? > > Thanks > Richard > > > Joshua Slive wrote: > > On Mon, Feb 25, 2008 at 12:59 AM, Richard Geddes > <[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]> wrote: > >> Hello, >> >> I'm using apache 2.2 on Ubuntu 7.10 setting up name-based virtual >> hosting . The apache servers servicing requests run as www-data. >> >> The idea is to allow users to make their own websites under their home >> directories, and for the admin to symlink the users' DocumentRoot >> directories below main DocumentRoot directory, and have the apache >> configuration file with sections direct the http requests >> appropriately. >> >> I got this to work correctly, but I had to set the 'other' execution bit >> for directories that lead to the users symlinked directory. This means >> that users will have execute permissions on each others' directories, >> but I want to keep the users strictly separated from each other I >> think the FAQ suggests this, if I'm not mistaken, but I think there is a >> security issue here. >> > > Having world-executable (searchable, really) home directories is not > an uncommon configuration. Yes, your users need to be a little more > careful about the permissions of stuff inside their home directories, > but that isn't such a big deal. > > Alternatively, do the symlink in the other direction: put the > directories under DocumentRoot and include a symlink in the home > directories pointing to the correct location so your users know what > to edit. > > Joshua. > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> > <http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >" from the digest: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > >
Re: [EMAIL PROTECTED] Question on permissions
On Tue, 2008-02-26 at 11:08 -0500, Richard Geddes wrote: > Thanks for the response. > > I set up a directory under the main DocumentRoot called test > > drwxr-xr-x 2 rgeddes rgeddes 80 2008-02-18 15:18 test > > and it appeared in a directory listing in the webpage of my main > DocumentRoot. > > Changed permissions as follows: > > drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test > > and test disappears from the webpage (this makes sense) > > changed group as follows: > > drwxr-x--- 2 rgeddes www-data 80 2008-02-18 15:18 test > > and test appears in the webpage (this makes sense) as the servers are > running as www-data. > > Now if I change the group back to: > > drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test > > and I add www-data to the rgeddes group in /etc/group, the directory > fails to show up. This does not make sense to me as www-data is part > of the rgeddes group and rgeddes has r-x permissions. > > Is there a reason why www-data is not being granted rgeddes group > permissions? restart Apache. Apache, like any other UNIX process "rembers" some basic "environmental" stuff, like the (secondary) group membership(s) of the user it runs under. Restarting Apache makes it "refetch" this kind data. -- Udo Rader bestsolution.at EDV Systemhaus GmbH http://www.bestsolution.at signature.asc Description: This is a digitally signed message part
RE: [EMAIL PROTECTED] Question on permissions
Richard, I'm new to the group and thought I'd take a crack at this one. Is www-data a user or group? From the end of your email it sounds like a user since you added it to the rgeddes group but I am a little confused when you changed the group from rgeddes to www-data in the middle of your example. If it is a group then I don't believe you can add a group to another group in the /etc/group file. If it is a user I did a quick test one of our servers to verify but I don't believe the adding of a user to a group is dynamic. In order for the new group assignment to take affect I had to log out and log in as the test user for the id command to reflect the change. You didn't mention it in your email but did you try and restart your server after adding the www-data user to the rgeddes group? My apologies if I am misunderstanding your question. From: Richard Geddes [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 26, 2008 10:08 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Question on permissions Thanks for the response. I set up a directory under the main DocumentRoot called test drwxr-xr-x 2 rgeddes rgeddes 80 2008-02-18 15:18 test and it appeared in a directory listing in the webpage of my main DocumentRoot. Changed permissions as follows: drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test and test disappears from the webpage (this makes sense) changed group as follows: drwxr-x--- 2 rgeddes www-data 80 2008-02-18 15:18 test and test appears in the webpage (this makes sense) as the servers are running as www-data. Now if I change the group back to: drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test and I add www-data to the rgeddes group in /etc/group, the directory fails to show up. This does not make sense to me as www-data is part of the rgeddes group and rgeddes has r-x permissions. Is there a reason why www-data is not being granted rgeddes group permissions? Thanks Richard Joshua Slive wrote: On Mon, Feb 25, 2008 at 12:59 AM, Richard Geddes <[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]> wrote: Hello, I'm using apache 2.2 on Ubuntu 7.10 setting up name-based virtual hosting . The apache servers servicing requests run as www-data. The idea is to allow users to make their own websites under their home directories, and for the admin to symlink the users' DocumentRoot directories below main DocumentRoot directory, and have the apache configuration file with sections direct the http requests appropriately. I got this to work correctly, but I had to set the 'other' execution bit for directories that lead to the users symlinked directory. This means that users will have execute permissions on each others' directories, but I want to keep the users strictly separated from each other I think the FAQ suggests this, if I'm not mistaken, but I think there is a security issue here. Having world-executable (searchable, really) home directories is not an uncommon configuration. Yes, your users need to be a little more careful about the permissions of stuff inside their home directories, but that isn't such a big deal. Alternatively, do the symlink in the other direction: put the directories under DocumentRoot and include a symlink in the home directories pointing to the correct location so your users know what to edit. Joshua. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> <http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Question on permissions
Thanks for the response. I set up a directory under the main DocumentRoot called test drwxr-xr-x 2 rgeddes rgeddes 80 2008-02-18 15:18 test and it appeared in a directory listing in the webpage of my main DocumentRoot. Changed permissions as follows: drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test and test disappears from the webpage (this makes sense) changed group as follows: drwxr-x--- 2 rgeddes www-data 80 2008-02-18 15:18 test and test appears in the webpage (this makes sense) as the servers are running as www-data. Now if I change the group back to: drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test and I add www-data to the rgeddes group in /etc/group, the directory fails to show up. This does not make sense to me as www-data is part of the rgeddes group and rgeddes has r-x permissions. Is there a reason why www-data is not being granted rgeddes group permissions? Thanks Richard Joshua Slive wrote: > On Mon, Feb 25, 2008 at 12:59 AM, Richard Geddes > <[EMAIL PROTECTED]> wrote: > >> Hello, >> >> I'm using apache 2.2 on Ubuntu 7.10 setting up name-based virtual >> hosting . The apache servers servicing requests run as www-data. >> >> The idea is to allow users to make their own websites under their home >> directories, and for the admin to symlink the users' DocumentRoot >> directories below main DocumentRoot directory, and have the apache >> configuration file with sections direct the http requests >> appropriately. >> >> I got this to work correctly, but I had to set the 'other' execution bit >> for directories that lead to the users symlinked directory. This means >> that users will have execute permissions on each others' directories, >> but I want to keep the users strictly separated from each other I >> think the FAQ suggests this, if I'm not mistaken, but I think there is a >> security issue here. >> > > Having world-executable (searchable, really) home directories is not > an uncommon configuration. Yes, your users need to be a little more > careful about the permissions of stuff inside their home directories, > but that isn't such a big deal. > > Alternatively, do the symlink in the other direction: put the > directories under DocumentRoot and include a symlink in the home > directories pointing to the correct location so your users know what > to edit. > > Joshua. > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] >" from the digest: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > >
Re: [EMAIL PROTECTED] Question on permissions
On Mon, Feb 25, 2008 at 12:59 AM, Richard Geddes <[EMAIL PROTECTED]> wrote: > Hello, > > I'm using apache 2.2 on Ubuntu 7.10 setting up name-based virtual > hosting . The apache servers servicing requests run as www-data. > > The idea is to allow users to make their own websites under their home > directories, and for the admin to symlink the users' DocumentRoot > directories below main DocumentRoot directory, and have the apache > configuration file with sections direct the http requests > appropriately. > > I got this to work correctly, but I had to set the 'other' execution bit > for directories that lead to the users symlinked directory. This means > that users will have execute permissions on each others' directories, > but I want to keep the users strictly separated from each other I > think the FAQ suggests this, if I'm not mistaken, but I think there is a > security issue here. Having world-executable (searchable, really) home directories is not an uncommon configuration. Yes, your users need to be a little more careful about the permissions of stuff inside their home directories, but that isn't such a big deal. Alternatively, do the symlink in the other direction: put the directories under DocumentRoot and include a symlink in the home directories pointing to the correct location so your users know what to edit. Joshua. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]