Return-Path: <users-return-114428-archive-asf-public=cust-asf.ponee.io@httpd.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 85AF0200BAC
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed, 26 Oct 2016 16:27:58 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 83EE1160AEE; Wed, 26 Oct 2016 14:27:58 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id CB96E160ACA
	for <archive-asf-public@cust-asf.ponee.io>; Wed, 26 Oct 2016 16:27:57 +0200 (CEST)
Received: (qmail 38120 invoked by uid 500); 26 Oct 2016 14:27:56 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 38083 invoked by uid 99); 26 Oct 2016 14:27:56 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Oct 2016 14:27:56 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id EC221C2400
	for <users@httpd.apache.org>; Wed, 26 Oct 2016 14:27:51 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 0.379
X-Spam-Level: 
X-Spam-Status: No, score=0.379 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01,
	RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001]
	autolearn=disabled
Authentication-Results: spamd1-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024)
	with ESMTP id gNhAVbeF7llQ for <users@httpd.apache.org>;
	Wed, 26 Oct 2016 14:27:51 +0000 (UTC)
Received: from mail-vk0-f50.google.com (mail-vk0-f50.google.com [209.85.213.50])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 613CC5FAE0
	for <users@httpd.apache.org>; Wed, 26 Oct 2016 14:27:50 +0000 (UTC)
Received: by mail-vk0-f50.google.com with SMTP id c126so5021393vkd.7
        for <users@httpd.apache.org>; Wed, 26 Oct 2016 07:27:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:from:date:message-id:subject:to;
        bh=ORbI8bYeil36qhCzlJZw+Mr4nqUWsK5tFD4vTFzIFrM=;
        b=EX5z7dIDZ+U3/FV/WHtH1tLRDuHhurhcvqiHDddIHRZ4f85CEHX4wLsgsdrwHBmPH2
         JU293cPAMiWJ+BwfGOgjlZxsJE12cTaVeuO/gBBVYMPkMW011qWszVn9ak3mVTzE60uz
         QPvyUTR7sWWF7HL90yF8rW2qgSfZxJn+mbPSB9L95iClJRY81rCxVnJJzpG0M+tmxqBW
         EaKEZ6hw14S7qhjF54028hKMnoH6q8WNdR9g1QOsVuf+KnfMlfJ5Zi9sibaQZyuYruT5
         3HKMaHQDW/+o7HUXSTpCihLxHw//I1FvpA7Qbv7Z2242hUPRckXdvV8P+6VJZqioz5la
         1WAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=ORbI8bYeil36qhCzlJZw+Mr4nqUWsK5tFD4vTFzIFrM=;
        b=UNS78dn52ssY8F1dgzqWe/ri9wjcMkAnjOfPeQSf6I2htojCG0qtOl7z9QfD0KrgPt
         1elYL7oC9XD9a7IEQwMe8045o1FXGrFzZpayU0FeLnUrncMSXDobldRIXbcUChojoOUG
         dgA1ca+IxdgI/e0vSycjkawCplhX2x2DoY/zQSHa5T9TwpeessIr1Oj+Nys4ifKrm9zn
         fHX2sNk96Cp+2OsO9PmTT/c/+hzaf5623r81J7qwrqNkHIxdwPI0mY0CKI2nRjNMuqSS
         rlmWSLQmniuIRgyPxl+6sowB54L/TKxRv96KBnRmutuidgaGZtMJjOAVImWm5IjmTGC+
         1X3A==
X-Gm-Message-State: ABUngvdB6ru2odbXcX9OvNzZzKWXLnCKYL3C9+jcj0isMtUenvN0BChlWjC8AuLyW105wLhxVGnsY5ceUxVjxQ==
X-Received: by 10.31.162.17 with SMTP id l17mr1340857vke.123.1477492069184;
 Wed, 26 Oct 2016 07:27:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.73.88 with HTTP; Wed, 26 Oct 2016 07:27:48 -0700 (PDT)
From: Alex <mysqlstudent@gmail.com>
Date: Wed, 26 Oct 2016 10:27:48 -0400
Message-ID: <CAB1R3shTekOjR-bM_dGk5NGCDs+eSq-rkE5He6tYH01H1Wg3Rw@mail.gmail.com>
To: users@httpd.apache.org
Content-Type: text/plain; charset=UTF-8
Subject: [users@httpd] Apache on Fedora and DocumentRoot permissions
archived-at: Wed, 26 Oct 2016 14:27:58 -0000

Hi,

I have a fedora24 install with apache-2.4.23 and the latest version of
joomla, and having some problems with the inability of the apache user
to modify files while also allowing the site admin account modify
those same files in the document root.

I understand there are several solutions to this problem, but I don't
know which one is the best for me, both from a security and
functionality perspective.

I've been setting up apache sites for a really long time, although I
don't claim to be an expert. I also know that adding both the site
admin user (joomadmin, in my case) and the apache user (apache) to a
common group then making everything writable by that group (with sgid
as well) isn't the best solution. Ideally, I'd like the apache user to
not have any write capability to limit the possibility of a site
compromise from taking down the whole site.

The umask on fedora is 0022 by default, and I can't figure out how to
change it to something that would even enable setting the group sgid
such that users in the group can write files while maintaining group
permissions.

Here's an example of what happens with the apache user creating new
directories (such as what would happen when new joomla modules are
installed through the joomla interface):

-bash-4.3$ id
uid=48(apache) gid=48(apache) groups=48(apache),993(nagios),1000(joomadmin)
-bash-4.3$ umask
0022
-bash-4.3$ mkdir mod_tmp
-bash-4.3$ ls -ld mod_tmp
drwxr-sr-x 2 apache joomadmin 4096 Oct 26 10:19 mod_tmp

Creating directories with mode 755 (with sgid bit inherited) does not
leave any ability for other users in that group to write files to that
directory.

I understand there is also suPHP, but it seems like it's no longer maintained?

I'm open to the PHP-FPM option, but I wanted to first ask the list how
they're handing the situation? It looks very involved to install and
potentially affects overall server performance.

Are you making the site admin user accessing and modifying the site
remotely (scp, sFTP, etc) the same as apache? Are you using PHP-FPM?
If so, is there a Fedora or Apache guide you recommend? Are you
changing the umask to be able to put the two users in the same group?
If so, how? I tried editing the unit service, and changing the umask
there, but that didn't have any effect.

Thanks,
Alex

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org