You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by David Christensen <dp...@holgerdanske.com> on 2003/11/02 19:57:12 UTC
[users@httpd] httpd user and user directory permissions dilemna
users@httpd.apache.org & users@httpd.apache.org:
I am running Apache 1.3.26 on Debian 3.0r1 (Woody). I would like to
enable user ~/public_html directories, but have two security goals which
I cannot solve simultaneously:
1. Apache should run as the user when reading user pages and running
user CGI scripts.
2. User home directories should not allow group or world access.
Using the default Debian configuration, placing content into
/home/dpchrist/public_html and browsing to
http://192.168.254.2/~dpchrist/ works just fine. Enabling per-user
~/public_html/cgi-bin directories in httpd.conf and invoking "whoami"
from a CGI script in /home/dpchrist/public_html/cgi-bin reports
"dpchrist", confirming that goal #1 is met (I'm not sure of the
mechanics, but assume that Apache is making seteuid() and setegid()
system calls at some point before processing the CGI script). However,
the default Debian home directory permissions are 755, failing goal #2.
When I change my home directory permissions to 700 to meet goal #2,
Apache fails with "Forbidden You don't have permission to access
/~dpchrist/ on this server. Apache/1.3.26 Server at 192.168.254.2 Port
80".
I don't understand why Apache cannot access my files and folders when
running as my userid. Does anybody know the explanation?
Does anyone know how to meet both goals simultaneously?
TIA,
David
root@d3020g:~/d3020g/etc/apache# grep -v '^ *#' httpd.conf | grep -v
'^$'
ServerType standalone
ServerRoot /etc/apache
LockFile /var/lock/apache.lock
PidFile /var/run/apache.pid
ScoreBoardFile /var/run/apache.scoreboard
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 100
LoadModule config_log_module /usr/lib/apache/1.3/mod_log_config.so
LoadModule config_log_module /usr/lib/apache/1.3/mod_log_config_ssl.so
LoadModule mime_magic_module /usr/lib/apache/1.3/mod_mime_magic.so
LoadModule mime_module /usr/lib/apache/1.3/mod_mime.so
LoadModule mime_module /usr/lib/apache/1.3/mod_mime_ssl.so
LoadModule negotiation_module /usr/lib/apache/1.3/mod_negotiation.so
LoadModule status_module /usr/lib/apache/1.3/mod_status.so
LoadModule autoindex_module /usr/lib/apache/1.3/mod_autoindex.so
LoadModule dir_module /usr/lib/apache/1.3/mod_dir.so
LoadModule cgi_module /usr/lib/apache/1.3/mod_cgi.so
LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so
LoadModule alias_module /usr/lib/apache/1.3/mod_alias.so
LoadModule rewrite_module /usr/lib/apache/1.3/mod_rewrite.so
LoadModule access_module /usr/lib/apache/1.3/mod_access.so
LoadModule auth_module /usr/lib/apache/1.3/mod_auth.so
LoadModule expires_module /usr/lib/apache/1.3/mod_expires.so
LoadModule unique_id_module /usr/lib/apache/1.3/mod_unique_id.so
LoadModule setenvif_module /usr/lib/apache/1.3/mod_setenvif.so
ExtendedStatus On
Port 80
User www-data
Group www-data
ServerAdmin webmaster@d3020g
ServerName 192.168.254.2
DocumentRoot /var/www
<Directory />
Options SymLinksIfOwnerMatch
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes Includes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<IfModule mod_userdir.c>
UserDir public_html
</IfModule>
<Directory /home/*/public_html>
AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS PROPFIND>
Order allow,deny
Allow from all
</Limit>
<Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
Order deny,allow
Deny from all
</Limit>
</Directory>
<Directory /home/*/public_html/cgi-bin>
Options +ExecCGI
</Directory>
<IfModule mod_dir.c>
DirectoryIndex index.html index.htm index.shtml index.cgi
</IfModule>
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
UseCanonicalName On
TypesConfig /etc/mime.types
DefaultType text/plain
<IfModule mod_mime_magic.c>
MIMEMagicFile share/magic
</IfModule>
HostnameLookups Off
ErrorLog /var/log/apache/error.log
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"
%T %v" f
ull
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"
%P %T" d
ebug
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
combine
d
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog /var/log/apache/access.log combined
ServerSignature On
Alias /icons/ /usr/share/apache/icons/
<Directory /usr/share/apache/icons>
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory /usr/lib/cgi-bin/>
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
<IfModule mod_autoindex.c>
IndexOptions FancyIndexing NameWidth=*
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/deb.gif .deb
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
DefaultIcon /icons/unknown.gif
ReadmeName README
HeaderName HEADER
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
</IfModule>
<IfModule mod_mime.c>
AddEncoding x-compress Z
AddEncoding x-gzip gz tgz
AddLanguage da .dk
AddLanguage nl .nl
AddLanguage en .en
AddLanguage et .ee
AddLanguage fr .fr
AddLanguage de .de
AddLanguage el .el
AddLanguage it .it
AddLanguage ja .ja
AddCharset ISO-2022-JP .jis
AddLanguage pl .po
AddCharset ISO-8859-2 .iso-pl
AddLanguage pt .pt
AddLanguage pt-br .pt-br
AddLanguage ltz .lu
AddLanguage ca .ca
AddLanguage es .es
AddLanguage sv .se
AddLanguage cz .cz
<IfModule mod_negotiation.c>
LanguagePriority en da nl et fr de el it ja pl pt pt-br ltz ca
es sv
</IfModule>
AddType application/x-tar .tgz
AddType image/bmp .bmp
AddType text/x-hdml .hdml
AddHandler cgi-script .pl
</IfModule>
AddDefaultCharset on
<IfModule mod_setenvif.c>
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0
force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
</IfModule>
<IfModule mod_perl.c>
Alias /perl/ /var/www/perl/
<Location /perl>
SetHandler perl-script
PerlHandler Apache::Registry
Options +ExecCGI
</Location>
</IfModule>
Alias /doc/ /usr/share/doc/
<Location /doc>
order deny,allow
deny from all
allow from 127.0.0.0/255.0.0.0
Options Indexes FollowSymLinks MultiViews
</Location>
<IfModule mod_proxy.c>
</IfModule>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] httpd user and user directory permissions dilemna
Posted by Roger Lipscombe <ro...@differentpla.net>.
users@httpd.apache.org & users@httpd.apache.org:
>
> 2. User home directories should not allow group or world access.
Why not? Logically speaking, if Apache to serves them over HTTP, they're
already available to the world. Unless, of course, you implement
authentication to ensure that each user can only access his own web pages.
There's a reason it's called *public*_html.
Cheers,
Roger.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] httpd user and user directory permissions dilemna
Posted by Joshua Slive <jo...@slive.ca>.
On Sun, 2 Nov 2003, David Christensen wrote:
> users@httpd.apache.org & users@httpd.apache.org:
>
> I am running Apache 1.3.26 on Debian 3.0r1 (Woody). I would like to
> enable user ~/public_html directories, but have two security goals which
> I cannot solve simultaneously:
>
> 1. Apache should run as the user when reading user pages and running
> user CGI scripts.
>
> 2. User home directories should not allow group or world access.
>
Neither of these is possible because of the basic limitations of unix
security.
As you already figured out, you can accomplish part of 1, because suexec
can launch cgi scripts as the user. The "reading user pages" part is
impossible, however, and any directory serving web pages must be in some
way accessible by the web server, so 2 isn't possible either.
Why? Well, under unix, each program must run as a user. To make apache
more secure, all request processing and serving is done under a
non-root userid (see the User and Group directives). Obviously, a
non-root userid can't simply switch to some other userid.
Even if you were to run apache as root (not a good move!), this still
wouldn't work. Each apache process serves many different requests. If
the process were to switch to a non-root userid to serve a specific
directory, then it couldn't serve requests for any other directory,
because there is no way to get the root permissions back to switch to the
new user. You could imagine a server that forked a new process to serve
each request, which then exited. But you can also imagine that such a
server would be dog-slow.
Solutions? Well, there have been a couple different projects that use the
new threading ability of apache 2 to allow different pools of threads to
be kept around to serve requests under different userids. This wouldn't
work for dozens or hundreds of different userids, of course. And none of
these projects has anything production ready. See the "perchild" mpm,
which doesn't work.
You could do the same thing by running a number of different instances of
apache on different ports with different privileges and using a reverse
proxy to choose which one gets the requests. Again, this would be rather
resource intensive and complicated.
The punch-line: you can't do that. CGI scripts can be launched under
different userids, but ordinary pages (including php scripts launched as
part of the apache process) must use the apache userid. Hence you need to
provide world or apache-group read and search access to all the files you
want to serve.
(That was probably way more than you wanted to know. I should put that
into the FAQ so I don't have to repeat it!)
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] httpd user and user directory permissions dilemna
Posted by Brian Dessent <br...@dessent.net>.
David Christensen wrote:
> When I change my home directory permissions to 700 to meet goal #2,
> Apache fails with "Forbidden You don't have permission to access
> /~dpchrist/ on this server. Apache/1.3.26 Server at 192.168.254.2 Port
> 80".
>
> I don't understand why Apache cannot access my files and folders when
> running as my userid. Does anybody know the explanation?
>
> Does anyone know how to meet both goals simultaneously?
Because Apache only changes its credentials for CGI scripts, not for
requests handled internally. I don't know of a way to get Apache to
change its user/group for every request. The 755 situation is standard
practise -- if the files are viewable on the web they're pretty much
public so there's nothing gained by restricting access to the
public_html directory.
You could get around this by using groups. For example, assuming each
user has its own group (and that the files in the home dir are owned by
this group as well) then you could just add the apache user to each
user's group. Then the public_html directories could be 750, and so
viewable by the owner and Apache but not other users on the system.
Alternatively you could "chgrp -R www-data ~/public_html" (or whatever
group it is in Debian) to have the web stuff owned by the Apache group,
which would also allow you to have 750 permissions. I don't know if
either of these ideas are "best practice" or have any major flaws, but
they should work if all you want to do is limit local filesystem access
to www files.
Brian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org