Secure Unix permissions for an Apache website developer - Redhat

This is a discussion on Secure Unix permissions for an Apache website developer - Redhat ; Hi, I am setting up a new web server on to hold a company web site, using Apache 2.0.40 on a hardened RH9 box. I'm trying to set up a "security-concious" box here, so I'm squeezing my brain trying to ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Secure Unix permissions for an Apache website developer

  1. Secure Unix permissions for an Apache website developer

    Hi,

    I am setting up a new web server on to hold a company web site, using
    Apache 2.0.40 on a hardened RH9 box. I'm trying to set up a
    "security-concious" box here, so I'm squeezing my brain trying to find
    out the best way to give the right access level to the person doing
    the web site's development (an external company in charge of HTML
    development).

    Although we do trust this company I don't want to give the developer
    (usually only one guy works on this site, two at the most) root
    access. I have created a regular user for him, and he can access the
    box via SSH to scp files to the server.

    Apache runs with a special no-privilege user and group (apache). I
    have configured the permissions on /var/www/html (the DocumentRoot
    directory) and its files to be owned by root, be readable by all (so
    apache will be allowed to serve them), but writeable only by the
    owner.

    Now, this is a problem for the developer, using his regular user, to
    upload files (he cannot write to the DocumentRoot directory as things
    are now). What's the best way to solve this ?

    I've thought of a special group (say "webadmin"), formed by the root
    user + the developer's regular user, and having html files owned by
    that group. But I'm not sure if this is a solution or a new problem...
    ;-)

    Any help will be much appreciated.

    Thanks and regards,

    James

  2. Re: Secure Unix permissions for an Apache website developer

    On 19 Apr 2004 09:26:35 -0700, acrux14@hotmail.com (James Schnack)
    wrote:

    >I've thought of a special group (say "webadmin"), formed by the root
    >user + the developer's regular user, and having html files owned by
    >that group. But I'm not sure if this is a solution or a new problem...
    > ;-)


    The group solution is the way I've always done this, both for html
    servers and for C/C++ software development work. Create a new group,
    recursive change the group of the contents of the DocumentRoot
    directory, recursive give write to group for DocumentRoot directory, and
    then add that group as a/the supplemental group to the applicable users.
    Done.

    The users need to use the newgrp command before they work in the
    development/DocumentRoot directory. If they forget to newgrp they might
    create files of the wrong group (fixable with chgrp), or they may not be
    able to create (based on the permissions of the dir).


    Do be careful not to use a group that any process already uses, and also
    don't use the initial group of any users.


    Brad
    --
    "Time's fun when you're having flies."
    Bradley W. Olin Kermit the Frog
    http://www.bwo1.com

  3. Re: Secure Unix permissions for an Apache website developer

    > The users need to use the newgrp command before they work in the
    > development/DocumentRoot directory. If they forget to newgrp they might
    > create files of the wrong group (fixable with chgrp), or they may not be
    > able to create (based on the permissions of the dir).


    I prefer to use the setgid bit on directories this way there's no newgrp
    funny business.


    Stefan

  4. Re: Secure Unix permissions for an Apache website developer

    On Mon, 19 Apr 2004 22:36:25 GMT, Stefan Monnier
    wrote:

    >> The users need to use the newgrp command before they work in the
    >> development/DocumentRoot directory. If they forget to newgrp they might
    >> create files of the wrong group (fixable with chgrp), or they may not be
    >> able to create (based on the permissions of the dir).

    >
    >I prefer to use the setgid bit on directories this way there's no newgrp
    >funny business.
    >


    I usually don't allow world read/write/execute permissions, especially
    for a C/C++ dev tree. That also tends to resolves it nicely. In this
    case the OP needs the apache processes to be able to read...


    Brad
    --
    "Time's fun when you're having flies."
    Bradley W. Olin Kermit the Frog
    http://www.bwo1.com

  5. Re: Secure Unix permissions for an Apache website developer

    James Schnack wrote:
    ..
    >
    > Although we do trust this company I don't want to give the developer
    > (usually only one guy works on this site, two at the most) root
    > access. I have created a regular user for him, and he can access the
    > box via SSH to scp files to the server.
    >


    Good call; don't give any privileges that they don't need.

    > Apache runs with a special no-privilege user and group (apache). I
    > have configured the permissions on /var/www/html (the DocumentRoot
    > directory) and its files to be owned by root, be readable by all (so
    > apache will be allowed to serve them), but writeable only by the
    > owner.


    Well, they don't have to be owned by root. Make them owned by the web
    developer's user. Or create a group of "webdevelopers" and make your
    developer part of that group with write permissions to the htdocs directory.

    Just do not make them owned by the user that the Apache server is
    running as.



    > I've thought of a special group (say "webadmin"), formed by the root
    > user + the developer's regular user, and having html files owned by
    > that group. But I'm not sure if this is a solution or a new problem...
    > ;-)
    >


    Why include root? All you need to do is create the webadmin group and
    add your web developer(s) to this group. Just remember to enable the
    write permissions on the required directories.



    WWJD? JWRTFM
    Rot13 for email address: yvfgf @ ehqa.pbz

  6. Re: Secure Unix permissions for an Apache website developer

    Hi,

    how about create a symbolic link to inside the html dir. which owed by the
    ops and read by the apache user and redirect the index file inside that
    directory

    cheers
    Dman
    "James Schnack" wrote in message
    news:45b1836d.0404190826.6e0ceacf@posting.google.c om...
    > Hi,
    >
    > I am setting up a new web server on to hold a company web site, using
    > Apache 2.0.40 on a hardened RH9 box. I'm trying to set up a
    > "security-concious" box here, so I'm squeezing my brain trying to find
    > out the best way to give the right access level to the person doing
    > the web site's development (an external company in charge of HTML
    > development).
    >
    > Although we do trust this company I don't want to give the developer
    > (usually only one guy works on this site, two at the most) root
    > access. I have created a regular user for him, and he can access the
    > box via SSH to scp files to the server.
    >
    > Apache runs with a special no-privilege user and group (apache). I
    > have configured the permissions on /var/www/html (the DocumentRoot
    > directory) and its files to be owned by root, be readable by all (so
    > apache will be allowed to serve them), but writeable only by the
    > owner.
    >
    > Now, this is a problem for the developer, using his regular user, to
    > upload files (he cannot write to the DocumentRoot directory as things
    > are now). What's the best way to solve this ?
    >
    > I've thought of a special group (say "webadmin"), formed by the root
    > user + the developer's regular user, and having html files owned by
    > that group. But I'm not sure if this is a solution or a new problem...
    > ;-)
    >
    > Any help will be much appreciated.
    >
    > Thanks and regards,
    >
    > James




  7. Tripwire?????

    My bootlog file keeps saying that tripwire could not iniate...run
    twinstall... what is this do I really need it running. Next when I run the
    pgm it stalls and says its can't install...Ok Im a newbie help please.


    Bob



  8. Re: Tripwire?????

    On Sun, 25 Apr 2004 21:32:17 +0000, bob seguin wrote:

    > My bootlog file keeps saying that tripwire could not iniate...run
    > twinstall... what is this do I really need it running.


    Google on "tripwire". Basically, it periodically checks whether
    certain files have changed, and notifies you if they have.

    > Next when I run the
    > pgm it stalls and says its can't install...Ok Im a newbie help please.


    http://catb.org/~esr/faqs/smart-questions.html

    Are you in a shell?
    Are you root? (If not, then 'su -' and enter password when prompted)
    Are you typing 'twinstall' or specifying an absolute path?
    What is the exact text of the "can't install" message?
    What is the exact text that appears when you type 'which twinstall'?


  9. Re: Tripwire?????

    In article , bob seguin wrote:
    > My bootlog file keeps saying that tripwire could not iniate...run
    > twinstall... what is this do I really need it running. Next when I run the
    > pgm it stalls and says its can't install...Ok Im a newbie help please.


    As root run

    /etc/tripwire/twinstall.sh

    tripwire --init (plus other options if you wish)

    Good luck.

    Robert Riches
    spamtrap42@verizon.net
    (Yes, that is one of my email addresses.)

+ Reply to Thread