How to get Apache to write files as group writable?
Paul Howarth
paul at city-fan.org
Thu Sep 15 15:43:33 UTC 2005
Jay Paulson wrote:
>>> I also found that in the /etc/httpd/conf/httpd.conf file you can
>>> change the group apache runs as from apache to www (or whatever group
>>> you want). Then start up /etc/init.d/httpd as root for it to take
>>> effect (at least that what it says in the httpd.conf file).
>>> My question now is which is the better way?
>>> I'll have to try both ways. :)
>>
>>
>> The two things are completely different.
>>
>> Changing the group in /etc/httpd/conf/httpd.conf just changes group
>> that apache runs as. It will not affect the permission bits of files
>> created by the web server in any way, only the GID of those files (if
>> you're using the SGID bit on a directory, the GID of newly-created
>> files will be the same as the directory, otherwise, the GID of the
>> running process).
>>
>> Be careful about the UID/GID you run httpd as, and the
>> UID/GID/permissions of the files on your system. Security-wise, the
>> httpd should run with just enough permissions to be able to function
>> correctly, i.e. it should not be able to write to most files, just
>> read the files it's serving and write to files/directories that you
>> want to be able to upload to.
>>
>> Changing the umask to 002 will mean that newly-created files will have
>> write permissions set for the UID and GID of the file.
>>
>> Paul.
>
>
> Thanks for the explanation it makes perfect sense to me and the security
> issue you bring up is very serious.
>
> The reason why I need apache to have write permissions set for the UID
> and the GID is that I have other users who log in locally and will need
> access to modify those files that are uploaded via apache. Hence the
> reason why my local users and apache are all in the 'www' group. This,
> as you pointed out, isn't best for security, which really does concern me.
>
> Is there a more secure way of setting this up so that files that are
> created by apache are writable by the group and the local users without
> compromising the security of the rest of the files on the web root
> through apache?
Try this:
- create a new group specifically to cover the area that httpd and your
local users should be able to write to, and add user apache and your
local users to that group.
- change the GID of that directory and everything underneath it to the
new group.
- set the SGID bit on that directory and all directories underneath it
so that new files created there have the correct group ID.
- change httpd.conf back to the default of running as user and group apache.
- make sure that your web root is not owned by user apache so that it
cannot write to it.
- start httpd with a umask of 002 so that it sets the group write bit on
any files it creates.
Paul.
More information about the fedora-list
mailing list