httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hong Wang <hw...@haverford.edu>
Subject Re: Unix permissions limitation
Date Mon, 22 Apr 2002 20:39:43 GMT
I think you need add group stick bit to restrict group access to files. 
Generally, using

   chmod 4755 filename

So the file is only accessed by user belong to that group.

Hong




At 03:36 PM 4/22/02 -0500, Ted Packwood wrote:
>Andy-
>
>Thanks for the suggestion, but it does not address the issue.
>We need to restrict access (including read-access) to only those
>people allowed to view the files.  As I stated below, having
>everyone who needs to edit web documents belong to the same GID
>is not secure enough.  To use your example, webuser2 can still
>view webuser1's web documents on the unix side, even if the web
>side is controlled by .htaccess files.  This would work for
>public information but for web data that needs to be secured
>this won't work.  We need to be able to make it so that only
>the people belonging to webuser1 (for instance) can view webuser1's
>files on the unix side AND the web side.
>
>Sorry if I didn't make this clear enough.
>Ted
>
>Andrew Hawkes wrote:
> >
> > Why do they need to belong to the group to edit files? What about
> >
> > -rw-r-----  webuser1  nobody  blah.html
> > -rw-r-----  webuser2  nobody  foo.html
> >
> > That way only the respective owners, 'webuser1' and 'webuser2', can edit
> > them, but anyone in group 'nobody' can view them. And only the web server
> > account would be a member of group 'nobody'. The other users would belong
> > to a different group.
> >
> > The only problem with this is when users create a brand new file it will
> > have to be chgrp to nobody before the web server can access it.
> >
> > -Andy
> >
> > > Our old implementation of Apache for internal web services here at Cray
> > > uses, of course, a specific UID and GID (let's just call it nobody)
> > > for the httpd daemon which, from my understanding, needs read permission
> > > on any document you want to be able to be viewed through a browser.
> > > This currently runs on IRIX but I would assume the situation to be
> > > the same for any unix platform.  At any rate, we run several virtual
> > > web servers all owned by different groups within the company.  Each
> > > group needs to be able to restrict access to their web files on both
> > > the web side and the unix side.  The web side is easy, of course, with
> > > .htaccess files.  The unix side is problematic, from my understanding,
> > > because the httpd daemon needs read permission.  Because the httpd
> > > daemon is "stuck" on a specific UID/GID, I see only the following as
> > > solutions.
> > >
> > > 1) All web documents need the world-read permission bit set (which is
> > > simply not acceptable from a security standpoint)
> > > -or-
> > > 2) All web documents need the group-read permission bit set AND have
> > > all the documents group-owned by the GID of the httpd daemon.  In
> > > this case the world-read permission bit can be removed, but then
> > > everyone who edits web documents needs to belong to this group.  Not
> > > as poor from a security standpoint as (1), but still not truly viable.
> > > -or-
> > > 3) All web documents need the the user-read permission bit set AND have
> > > the documents owned by the UID of the httpd daemon.  This is no better
> > > than (2), in face slightly worse, since all the users would have to
> > > login to the webserver as this user in order to edit documents (as
> > > opposed to logging in as themselves).
> > > -or-
> > > 4) use ACLs.  This to me seems the only viable solution from a security
> > > standpoint.  However, IRIX 6.5 does not currently backup ACLs correctly
> > > and so we are considering moving our web data to a different platform.
> > > As you can imagine this will be considerable work, since this is our
> > > production web server.
> > >
> > > From my understanding, su-exec is only useful for cgi scripts and not
> > > an effective solution for standard html documents.
> > >
> > > Are there any other solutions that I am not aware of?
> > >
> > > Thanks much!
> > > Ted Packwood
> > > Web Administrator
> > > Cray Inc.
> > >
> > > ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server
> > > Project. See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org

Hong Wang
Academic Computing Center
610-896-1046


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message