Hi all,
I am running a server, which has user accounts accessible through ssh and is
running a few services, moreover, apache for serving http.
Some of these users have vhosts, and therefor apache goes in various user's home
dir to fetch the webpages.
I need the users to have full control of their vhost'ed files, and that is why
they are in their respective $HOME and belong to them.
Some of their web pages (php scripts,etc) need to be able to write to the
filesystem. Therefor apache must be able to write in those particular parts of
their $HOME.
Additionally, some of their web scripts (conf files with SQL passwords, etc),
need to be protected from other users. But obvisouly, still be accessible by apache.
The way I solved this problem is the following:
- Apache runs as user "apache" and group "web".
- Users have a default group of "users"
- Users belong to the groups "users" and "web"
- By default, files belong to the user, and the group "users" and have modes
0644/0755
- To protect a file/directory from other users the user must set the modes 0604
or 0705.
- To allow apache to write to a file/directory, they must change the group to
"web" and set modes 0660/0770.
- To allow apache to write to a file/directory, and leave that file/directory
readable by other users they must change the group to "web" and set modes 0664/0774.
Now comes the question
As much as this seems to have solved my problem (tested reading/writing by
users, web scripts, etc and all works as wanted) is this setup really secure?
Since the users still have to belong to the "web" group to be able to chown
their files, could one not write a simple C program which uses the setegid()
syscall and run an ls (and whatever he wants) with the "web" group rights.
Obvisouly this is just the first idea that sprang to mind, but I suppose there
could be more. Do you believe my setup is correct and up to the task, or could
itbe circumvented in a matter of minutes?
Thank you for the feedback
drax
