Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Unix Permissions: Using groups to isolate users from webserver

From: drax <drax () sweon net>
Date: Mon, 29 Nov 2004 16:42:32 +0100
Hi all,
I am running a server, which has user accounts accessible through ssh and is running a few services, moreover, apache for serving http. Some of these users have vhosts, and therefor apache goes in various user's home dir to fetch the webpages. I need the users to have full control of their vhost'ed files, and that is why they are in their respective $HOME and belong to them. Some of their web pages (php scripts,etc) need to be able to write to the filesystem. Therefor apache must be able to write in those particular parts of their $HOME. Additionally, some of their web scripts (conf files with SQL passwords, etc), need to be protected from other users. But obvisouly, still be accessible by apache. 

The way I solved this problem is the following:
- Apache runs as user "apache" and group "web".

- Users have a default group of "users"
- Users belong to the groups "users" and "web"
- By default, files belong to the user, and the group "users" and have modes 0644/0755
- To protect a file/directory from other users the user must set the modes 0604 or 0705.
- To allow apache to write to a file/directory, they must change the group to "web" and set modes 0660/0770.
- To allow apache to write to a file/directory, and leave that file/directory readable by other users they must change the group to "web" and set modes 0664/0774. 

Now comes the question
As much as this seems to have solved my problem (tested reading/writing by users, web scripts, etc and all works as wanted) is this setup really secure?
Since the users still have to belong to the "web" group to be able to chown their files, could one not write a simple C program which uses the setegid() syscall and run an ls (and whatever he wants) with the "web" group rights.
Obvisouly this is just the first idea that sprang to mind, but I suppose there could be more. Do you believe my setup is correct and up to the task, or could itbe circumvented in a matter of minutes? 

Thank you for the feedback

drax
Previous By Date Next
Previous By Thread Next

Current thread: