Those pesky Apache permissions (was Re: (kein Betreff))

David Tonhofer, m-plify S.A. d.tonhofer at m-plify.com
Thu Mar 2 22:02:30 UTC 2006 

--On Thursday, March 02, 2006 10:05 PM +0100 Krassen Deltchev <deltchev at neurop.rub.de> wrote:

> Hello,
>
> i have a very odd problem:

Woah! Serious trouble, man (just joking but arm yourself with courage
to climb the learning curve...). And get a good book.

Here's what you want to do:

1) Any apache-related stuff is often best asked in the apache
   discussion group.. err here:
   <http://httpd.apache.org/lists.html#http-users>

2) About the permissions question:

a) Make sure apache is running non-root. What does ps faux show?
   Something like this? Good. The apache user is configured in
   httpd.conf

   root     25695  0.0  0.0 120016 1736 ?       Ss   Feb12   0:00 /usr/local/apache2/bin/httpd -DSSL -DTOMCAT -DPHP
   apache   18361  0.0  0.1 120392 5084 ?       S    Mar01   0:00  \_ /usr/local/apache2/bin/httpd -DSSL -DTOMCAT -DPHP
   apache    2411  0.0  0.1 120504 5156 ?       S    14:19   0:00  \_ /usr/local/apache2/bin/httpd -DSSL -DTOMCAT -DPHP
   apache    2521  0.0  0.1 120544 5248 ?       S    14:19   0:00  \_ /usr/local/apache2/bin/httpd -DSSL -DTOMCAT -DPHP
   apache    2522  0.0  0.1 120520 5204 ?       S    14:19   0:00  \_ /usr/local/apache2/bin/httpd -DSSL -DTOMCAT -DPHP

b) Webspace file permission have nothing to do with httpd.conf
   It has everything to do with the OS.

   What you want is:

   WORLD

   Make sure the files in the website can be read by the user running the
   webserver (apache or httpd) -> make them world-readable, directories
   executable.

   Make sure the files in the website cannot be modified by the user running the
   webserver (apache or httpd) -> make them not-world-writeable

   GROUP

   You have a special group that can change stuff (group 33). All the stuff
   on the site should be owned by that group. The group must be able to
   read and write files and to read, write, execute directories.
   ADDITIONALLY, newly created files and directories need to 'inherit'
   the group ownership. Set the 'group setuid' bit on the directories.
   (chmod g+s)

   Edit /etc/group and put all your user 1002 1003 1004 into that group
   (vigr). Users should be able to modify files and directories as these
   files and directories are writeable by group 33.

   However, suppose user 1003, primary group 1003, creates a new file.
   In that case, the file is owned by group 1003 instead of 33.
   Not good. So we have to set the 'setuid group' flags on the directories.
   That way, the directories transfer their group ownership to newly
   created child directories (quite a hack, eh?) That flag is inherited
   through a newly created directory hierarchy. Which is nice.

   Adding the directory 'setuid group' flag is done by:

   chmod g+s bar   (see the find command below)

   USER

   The owning user may be root for example. It's not that important.
   Permissions may be rwx (but make sure you have no setuid root executables
   in there... :-P

Commands:

   find /var/my/website -type f -exec chmod u=rw,g=rw,o=r '{}' ';'
   find /var/my/website -type d -exec chmod u=rwx,g=rwxs,o=rx '{}' ';'
   find /var/my/website -exec chown root.33 '{}' ';'



No guarantees on anything....

Good luck.

More information about the redhat-list mailing list