How to get Apache to write files as group writable?

Paul Howarth paul at city-fan.org
Thu Sep 15 15:43:33 UTC 2005 

Jay Paulson wrote:
>>> I also found that in the /etc/httpd/conf/httpd.conf file you can 
>>> change the group apache runs as from apache to www (or whatever group 
>>> you want).  Then start up /etc/init.d/httpd as root for it to take 
>>> effect (at least that what it says in the httpd.conf file).
>>> My question now is which is the better way?
>>> I'll have to try both ways. :)
>>
>>
>> The two things are completely different.
>>
>> Changing the group in /etc/httpd/conf/httpd.conf just changes group 
>> that apache runs as. It will not affect the permission bits of files 
>> created by the web server in any way, only the GID of those files (if 
>> you're using the SGID bit on a directory, the GID of newly-created 
>> files will be the same as the directory, otherwise, the GID of the 
>> running process).
>>
>> Be careful about the UID/GID you run httpd as, and the 
>> UID/GID/permissions of the files on your system. Security-wise, the 
>> httpd should run with just enough permissions to be able to function 
>> correctly, i.e. it should not be able to write to most files, just 
>> read the files it's serving and write to files/directories that you 
>> want to be able to upload to.
>>
>> Changing the umask to 002 will mean that newly-created files will have 
>> write permissions set for the UID and GID of the file.
>>
>> Paul.
> 
> 
> Thanks for the explanation it makes perfect sense to me and the security 
> issue you bring up is very serious.
> 
> The reason why I need apache to have write permissions set for the UID 
> and the GID is that I have other users who log in locally and will need 
> access to modify those files that are uploaded via apache.  Hence the 
> reason why my local users and apache are all in the 'www' group.  This, 
> as you pointed out, isn't best for security, which really does concern me.
> 
> Is there a more secure way of setting this up so that files that are 
> created by apache are writable by the group and the local users without 
> compromising the security of the rest of the files on the web root 
> through apache?

Try this:

- create a new group specifically to cover the area that httpd and your 
local users should be able to write to, and add user apache and your 
local users to that group.

- change the GID of that directory and everything underneath it to the 
new group.

- set the SGID bit on that directory and all directories underneath it 
so that new files created there have the correct group ID.

- change httpd.conf back to the default of running as user and group apache.

- make sure that your web root is not owned by user apache so that it 
cannot write to it.

- start httpd with a umask of 002 so that it sets the group write bit on 
any files it creates.

Paul.

More information about the fedora-list mailing list