You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Richard Geddes <ri...@verizon.net> on 2008/02/25 06:59:40 UTC
[users@httpd] Question on permissions
Hello,
I'm using apache 2.2 on Ubuntu 7.10 setting up name-based virtual
hosting . The apache servers servicing requests run as www-data.
The idea is to allow users to make their own websites under their home
directories, and for the admin to symlink the users' DocumentRoot
directories below main DocumentRoot directory, and have the apache
configuration file with <VirtualHost> sections direct the http requests
appropriately.
I got this to work correctly, but I had to set the 'other' execution bit
for directories that lead to the users symlinked directory. This means
that users will have execute permissions on each others' directories,
but I want to keep the users strictly separated from each other.... I
think the FAQ suggests this, if I'm not mistaken, but I think there is a
security issue here.
In the Ubuntu case, the apache servers run as the user www-data, so I
made the www-data user a member of a particular user group... and since
each user's directories can have group execute permissions without
giving any permissions to other groups www-data should have execute
permissions under that particular directory.... but that didn't work.
Also, if I can get this to work, I'll have a quick way to enable/disable
user's websites.
Is there a way of keeping users strictly separated (no permissions
between users) and allowing the users' DocumentRoot directories to be
symlinked under the main DocumentRoot directory?
Richard
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Question on permissions
Posted by Richard Geddes <ri...@verizon.net>.
... to see what exactly apache sees?
Richard Geddes wrote:
> U,
>
> Thanks... restarting or reloading seemed to apply the changes made to
> /etc/group file.
>
> Is there a way to dump to screen the apache "environment stuff" to
> what exactly apache sees? I looked at the man pages for apache2 and
> apache2ctl searching for 'environment' ... no matches.
>
> R
>
> Udo Rader wrote:
>> On Tue, 2008-02-26 at 11:08 -0500, Richard Geddes wrote:
>>
>>> Thanks for the response.
>>>
>>> I set up a directory under the main DocumentRoot called test
>>>
>>> drwxr-xr-x 2 rgeddes rgeddes 80 2008-02-18 15:18 test
>>>
>>> and it appeared in a directory listing in the webpage of my main
>>> DocumentRoot.
>>>
>>> Changed permissions as follows:
>>>
>>> drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test
>>>
>>> and test disappears from the webpage (this makes sense)
>>>
>>> changed group as follows:
>>>
>>> drwxr-x--- 2 rgeddes www-data 80 2008-02-18 15:18 test
>>>
>>> and test appears in the webpage (this makes sense) as the servers are
>>> running as www-data.
>>>
>>> Now if I change the group back to:
>>>
>>> drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test
>>>
>>> and I add www-data to the rgeddes group in /etc/group, the directory
>>> fails to show up. This does not make sense to me as www-data is part
>>> of the rgeddes group and rgeddes has r-x permissions.
>>>
>>> Is there a reason why www-data is not being granted rgeddes group
>>> permissions?
>>>
>>
>> restart Apache. Apache, like any other UNIX process "rembers" some basic
>> "environmental" stuff, like the (secondary) group membership(s) of the
>> user it runs under.
>>
>> Restarting Apache makes it "refetch" this kind data.
>>
>>
Re: [users@httpd] Question on permissions
Posted by Richard Geddes <ri...@verizon.net>.
U,
Thanks... restarting or reloading seemed to apply the changes made to
/etc/group file.
Is there a way to dump to screen the apache "environment stuff" to what
exactly apache sees? I looked at the man pages for apache2 and
apache2ctl searching for 'environment' ... no matches.
R
Udo Rader wrote:
> On Tue, 2008-02-26 at 11:08 -0500, Richard Geddes wrote:
>
>> Thanks for the response.
>>
>> I set up a directory under the main DocumentRoot called test
>>
>> drwxr-xr-x 2 rgeddes rgeddes 80 2008-02-18 15:18 test
>>
>> and it appeared in a directory listing in the webpage of my main
>> DocumentRoot.
>>
>> Changed permissions as follows:
>>
>> drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test
>>
>> and test disappears from the webpage (this makes sense)
>>
>> changed group as follows:
>>
>> drwxr-x--- 2 rgeddes www-data 80 2008-02-18 15:18 test
>>
>> and test appears in the webpage (this makes sense) as the servers are
>> running as www-data.
>>
>> Now if I change the group back to:
>>
>> drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test
>>
>> and I add www-data to the rgeddes group in /etc/group, the directory
>> fails to show up. This does not make sense to me as www-data is part
>> of the rgeddes group and rgeddes has r-x permissions.
>>
>> Is there a reason why www-data is not being granted rgeddes group
>> permissions?
>>
>
> restart Apache. Apache, like any other UNIX process "rembers" some basic
> "environmental" stuff, like the (secondary) group membership(s) of the
> user it runs under.
>
> Restarting Apache makes it "refetch" this kind data.
>
>
Re: [users@httpd] Question on permissions
Posted by Udo Rader <ud...@bestsolution.at>.
On Tue, 2008-02-26 at 11:08 -0500, Richard Geddes wrote:
> Thanks for the response.
>
> I set up a directory under the main DocumentRoot called test
>
> drwxr-xr-x 2 rgeddes rgeddes 80 2008-02-18 15:18 test
>
> and it appeared in a directory listing in the webpage of my main
> DocumentRoot.
>
> Changed permissions as follows:
>
> drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test
>
> and test disappears from the webpage (this makes sense)
>
> changed group as follows:
>
> drwxr-x--- 2 rgeddes www-data 80 2008-02-18 15:18 test
>
> and test appears in the webpage (this makes sense) as the servers are
> running as www-data.
>
> Now if I change the group back to:
>
> drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test
>
> and I add www-data to the rgeddes group in /etc/group, the directory
> fails to show up. This does not make sense to me as www-data is part
> of the rgeddes group and rgeddes has r-x permissions.
>
> Is there a reason why www-data is not being granted rgeddes group
> permissions?
restart Apache. Apache, like any other UNIX process "rembers" some basic
"environmental" stuff, like the (secondary) group membership(s) of the
user it runs under.
Restarting Apache makes it "refetch" this kind data.
--
Udo Rader
bestsolution.at EDV Systemhaus GmbH
http://www.bestsolution.at
Re: [users@httpd] Question on permissions
Posted by Richard Geddes <ri...@verizon.net>.
A
Thanks for the input.
I found www-data in both the /etc/passwd and /etc/group files, so I
assume there is in fact a www-data user and a www-data group.
Restarting or reloading the apache server seemed to apply the changes
made to the /etc/group file... ie grant the www-data user rgeddes group
permissions.
R
Adam Martin wrote:
>
> Richard,
>
>
>
> I’m new to the group and thought I’d take a crack at this one. Is
> www-data a user or group? From the end of your email it sounds like a
> user since you added it to the rgeddes group but I am a little
> confused when you changed the group from rgeddes to www-data in the
> middle of your example. If it is a group then I don’t believe you can
> add a group to another group in the /etc/group file.
>
>
>
> If it is a user I did a quick test one of our servers to verify but I
> don’t believe the adding of a user to a group is dynamic. In order
> for the new group assignment to take affect I had to log out and log
> in as the test user for the id command to reflect the change. You
> didn’t mention it in your email but did you try and restart your
> server after adding the www-data user to the rgeddes group?
>
>
>
> My apologies if I am misunderstanding your question.
>
>
>
> ------------------------------------------------------------------------
>
> *From:* Richard Geddes [mailto:rich.geddes@verizon.net]
> *Sent:* Tuesday, February 26, 2008 10:08 AM
> *To:* users@httpd.apache.org
> *Subject:* Re: [users@httpd] Question on permissions
>
>
>
> Thanks for the response.
>
> I set up a directory under the main DocumentRoot called test
>
> drwxr-xr-x 2 rgeddes rgeddes 80 2008-02-18 15:18 test
>
> and it appeared in a directory listing in the webpage of my main
> DocumentRoot.
>
> Changed permissions as follows:
>
> drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test
>
> and test disappears from the webpage (this makes sense)
>
> changed group as follows:
>
> drwxr-x--- 2 rgeddes www-data 80 2008-02-18 15:18 test
>
> and test appears in the webpage (this makes sense) as the servers are
> running as www-data.
>
> Now if I change the group back to:
>
> drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test
>
> and I add www-data to the rgeddes group in /etc/group, the directory
> fails to show up. This does not make sense to me as www-data is part
> of the rgeddes group and rgeddes has r-x permissions.
>
> Is there a reason why www-data is not being granted rgeddes group
> permissions?
>
> Thanks
> Richard
>
>
> Joshua Slive wrote:
>
> On Mon, Feb 25, 2008 at 12:59 AM, Richard Geddes
> <ri...@verizon.net> <ma...@verizon.net> wrote:
>
>> Hello,
>>
>> I'm using apache 2.2 on Ubuntu 7.10 setting up name-based virtual
>> hosting . The apache servers servicing requests run as www-data.
>>
>> The idea is to allow users to make their own websites under their home
>> directories, and for the admin to symlink the users' DocumentRoot
>> directories below main DocumentRoot directory, and have the apache
>> configuration file with <VirtualHost> sections direct the http requests
>> appropriately.
>>
>> I got this to work correctly, but I had to set the 'other' execution bit
>> for directories that lead to the users symlinked directory. This means
>> that users will have execute permissions on each others' directories,
>> but I want to keep the users strictly separated from each other.... I
>> think the FAQ suggests this, if I'm not mistaken, but I think there is a
>> security issue here.
>>
>
> Having world-executable (searchable, really) home directories is not
> an uncommon configuration. Yes, your users need to be a little more
> careful about the permissions of stuff inside their home directories,
> but that isn't such a big deal.
>
> Alternatively, do the symlink in the other direction: put the
> directories under DocumentRoot and include a symlink in the home
> directories pointing to the correct location so your users know what
> to edit.
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> <http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org <ma...@httpd.apache.org>
> " from the digest: users-digest-unsubscribe@httpd.apache.org <ma...@httpd.apache.org>
> For additional commands, e-mail: users-help@httpd.apache.org <ma...@httpd.apache.org>
>
>
>
RE: [users@httpd] Question on permissions
Posted by Adam Martin <Ad...@infor.com>.
Richard,
I'm new to the group and thought I'd take a crack at this one. Is
www-data a user or group? From the end of your email it sounds like a
user since you added it to the rgeddes group but I am a little confused
when you changed the group from rgeddes to www-data in the middle of
your example. If it is a group then I don't believe you can add a group
to another group in the /etc/group file.
If it is a user I did a quick test one of our servers to verify but I
don't believe the adding of a user to a group is dynamic. In order for
the new group assignment to take affect I had to log out and log in as
the test user for the id command to reflect the change. You didn't
mention it in your email but did you try and restart your server after
adding the www-data user to the rgeddes group?
My apologies if I am misunderstanding your question.
________________________________
From: Richard Geddes [mailto:rich.geddes@verizon.net]
Sent: Tuesday, February 26, 2008 10:08 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Question on permissions
Thanks for the response.
I set up a directory under the main DocumentRoot called test
drwxr-xr-x 2 rgeddes rgeddes 80 2008-02-18 15:18 test
and it appeared in a directory listing in the webpage of my main
DocumentRoot.
Changed permissions as follows:
drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test
and test disappears from the webpage (this makes sense)
changed group as follows:
drwxr-x--- 2 rgeddes www-data 80 2008-02-18 15:18 test
and test appears in the webpage (this makes sense) as the servers are
running as www-data.
Now if I change the group back to:
drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test
and I add www-data to the rgeddes group in /etc/group, the directory
fails to show up. This does not make sense to me as www-data is part of
the rgeddes group and rgeddes has r-x permissions.
Is there a reason why www-data is not being granted rgeddes group
permissions?
Thanks
Richard
Joshua Slive wrote:
On Mon, Feb 25, 2008 at 12:59 AM, Richard Geddes
<ri...@verizon.net> <ma...@verizon.net> wrote:
Hello,
I'm using apache 2.2 on Ubuntu 7.10 setting up name-based
virtual
hosting . The apache servers servicing requests run as
www-data.
The idea is to allow users to make their own websites under
their home
directories, and for the admin to symlink the users'
DocumentRoot
directories below main DocumentRoot directory, and have the
apache
configuration file with <VirtualHost> sections direct the http
requests
appropriately.
I got this to work correctly, but I had to set the 'other'
execution bit
for directories that lead to the users symlinked directory.
This means
that users will have execute permissions on each others'
directories,
but I want to keep the users strictly separated from each
other.... I
think the FAQ suggests this, if I'm not mistaken, but I think
there is a
security issue here.
Having world-executable (searchable, really) home directories is not
an uncommon configuration. Yes, your users need to be a little more
careful about the permissions of stuff inside their home directories,
but that isn't such a big deal.
Alternatively, do the symlink in the other direction: put the
directories under DocumentRoot and include a symlink in the home
directories pointing to the correct location so your users know what
to edit.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html>
<http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Question on permissions
Posted by Richard Geddes <ri...@verizon.net>.
Thanks for the response.
I set up a directory under the main DocumentRoot called test
drwxr-xr-x 2 rgeddes rgeddes 80 2008-02-18 15:18 test
and it appeared in a directory listing in the webpage of my main
DocumentRoot.
Changed permissions as follows:
drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test
and test disappears from the webpage (this makes sense)
changed group as follows:
drwxr-x--- 2 rgeddes www-data 80 2008-02-18 15:18 test
and test appears in the webpage (this makes sense) as the servers are
running as www-data.
Now if I change the group back to:
drwxr-x--- 2 rgeddes rgeddes 80 2008-02-18 15:18 test
and I add www-data to the rgeddes group in /etc/group, the directory
fails to show up. This does not make sense to me as www-data is part of
the rgeddes group and rgeddes has r-x permissions.
Is there a reason why www-data is not being granted rgeddes group
permissions?
Thanks
Richard
Joshua Slive wrote:
> On Mon, Feb 25, 2008 at 12:59 AM, Richard Geddes
> <ri...@verizon.net> wrote:
>
>> Hello,
>>
>> I'm using apache 2.2 on Ubuntu 7.10 setting up name-based virtual
>> hosting . The apache servers servicing requests run as www-data.
>>
>> The idea is to allow users to make their own websites under their home
>> directories, and for the admin to symlink the users' DocumentRoot
>> directories below main DocumentRoot directory, and have the apache
>> configuration file with <VirtualHost> sections direct the http requests
>> appropriately.
>>
>> I got this to work correctly, but I had to set the 'other' execution bit
>> for directories that lead to the users symlinked directory. This means
>> that users will have execute permissions on each others' directories,
>> but I want to keep the users strictly separated from each other.... I
>> think the FAQ suggests this, if I'm not mistaken, but I think there is a
>> security issue here.
>>
>
> Having world-executable (searchable, really) home directories is not
> an uncommon configuration. Yes, your users need to be a little more
> careful about the permissions of stuff inside their home directories,
> but that isn't such a big deal.
>
> Alternatively, do the symlink in the other direction: put the
> directories under DocumentRoot and include a symlink in the home
> directories pointing to the correct location so your users know what
> to edit.
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
Re: [users@httpd] Question on permissions
Posted by Joshua Slive <jo...@slive.ca>.
On Mon, Feb 25, 2008 at 12:59 AM, Richard Geddes
<ri...@verizon.net> wrote:
> Hello,
>
> I'm using apache 2.2 on Ubuntu 7.10 setting up name-based virtual
> hosting . The apache servers servicing requests run as www-data.
>
> The idea is to allow users to make their own websites under their home
> directories, and for the admin to symlink the users' DocumentRoot
> directories below main DocumentRoot directory, and have the apache
> configuration file with <VirtualHost> sections direct the http requests
> appropriately.
>
> I got this to work correctly, but I had to set the 'other' execution bit
> for directories that lead to the users symlinked directory. This means
> that users will have execute permissions on each others' directories,
> but I want to keep the users strictly separated from each other.... I
> think the FAQ suggests this, if I'm not mistaken, but I think there is a
> security issue here.
Having world-executable (searchable, really) home directories is not
an uncommon configuration. Yes, your users need to be a little more
careful about the permissions of stuff inside their home directories,
but that isn't such a big deal.
Alternatively, do the symlink in the other direction: put the
directories under DocumentRoot and include a symlink in the home
directories pointing to the correct location so your users know what
to edit.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org