httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex <mysqlstud...@gmail.com>
Subject [users@httpd] Apache on Fedora and DocumentRoot permissions
Date Wed, 26 Oct 2016 14:27:48 GMT
Hi,

I have a fedora24 install with apache-2.4.23 and the latest version of
joomla, and having some problems with the inability of the apache user
to modify files while also allowing the site admin account modify
those same files in the document root.

I understand there are several solutions to this problem, but I don't
know which one is the best for me, both from a security and
functionality perspective.

I've been setting up apache sites for a really long time, although I
don't claim to be an expert. I also know that adding both the site
admin user (joomadmin, in my case) and the apache user (apache) to a
common group then making everything writable by that group (with sgid
as well) isn't the best solution. Ideally, I'd like the apache user to
not have any write capability to limit the possibility of a site
compromise from taking down the whole site.

The umask on fedora is 0022 by default, and I can't figure out how to
change it to something that would even enable setting the group sgid
such that users in the group can write files while maintaining group
permissions.

Here's an example of what happens with the apache user creating new
directories (such as what would happen when new joomla modules are
installed through the joomla interface):

-bash-4.3$ id
uid=48(apache) gid=48(apache) groups=48(apache),993(nagios),1000(joomadmin)
-bash-4.3$ umask
0022
-bash-4.3$ mkdir mod_tmp
-bash-4.3$ ls -ld mod_tmp
drwxr-sr-x 2 apache joomadmin 4096 Oct 26 10:19 mod_tmp

Creating directories with mode 755 (with sgid bit inherited) does not
leave any ability for other users in that group to write files to that
directory.

I understand there is also suPHP, but it seems like it's no longer maintained?

I'm open to the PHP-FPM option, but I wanted to first ask the list how
they're handing the situation? It looks very involved to install and
potentially affects overall server performance.

Are you making the site admin user accessing and modifying the site
remotely (scp, sFTP, etc) the same as apache? Are you using PHP-FPM?
If so, is there a Fedora or Apache guide you recommend? Are you
changing the umask to be able to put the two users in the same group?
If so, how? I tried editing the unit service, and changing the umask
there, but that didn't have any effect.

Thanks,
Alex

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message