Those pesky Apache permissions (was Re: (kein Betreff))

Krassen Deltchev deltchev at neurop.rub.de
Mon Mar 13 09:09:08 UTC 2006 

Hello!
Sorry, for answering to you as a PM and for giving you so late my reply!
The problem has been solved and i wanted to thank you for your
support,really appreciated!
Also i wanted to thank you for the really good walkthrough(written with
a good sense of humour  ;) ),splendid advices!
The only thing ,that i'm still missing is ,that the user(of that
group:33) can't rename the file index.html(example:to index.htm or to
index2.html),but replacing it with a new version of the file works
wonderful using winSCP3.
I have changed the group ownership of the folder containing the whole
data for the html-site(every file has  the group
ownership(33)-rekursiv),the funny thing was, that before doing this
,only the root was the owner of that folder and root was the group owner....
If you have also good advices for books regarding apache webserver,i
would be thankful ,if you let me know!
Nice time and kindest regards!

krassen

David Tonhofer, m-plify S.A. schrieb:

> --On Thursday, March 02, 2006 10:05 PM +0100 Krassen Deltchev
> <deltchev at neurop.rub.de> wrote:
>
>> Hello,
>>
>> i have a very odd problem:
>
>
> Woah! Serious trouble, man (just joking but arm yourself with courage
> to climb the learning curve...). And get a good book.
>
> Here's what you want to do:
>
> 1) Any apache-related stuff is often best asked in the apache
>   discussion group.. err here:
>   <http://httpd.apache.org/lists.html#http-users>
>
> 2) About the permissions question:
>
> a) Make sure apache is running non-root. What does ps faux show?
>   Something like this? Good. The apache user is configured in
>   httpd.conf
>
>   root     25695  0.0  0.0 120016 1736 ?       Ss   Feb12   0:00
> /usr/local/apache2/bin/httpd -DSSL -DTOMCAT -DPHP
>   apache   18361  0.0  0.1 120392 5084 ?       S    Mar01   0:00  \_
> /usr/local/apache2/bin/httpd -DSSL -DTOMCAT -DPHP
>   apache    2411  0.0  0.1 120504 5156 ?       S    14:19   0:00  \_
> /usr/local/apache2/bin/httpd -DSSL -DTOMCAT -DPHP
>   apache    2521  0.0  0.1 120544 5248 ?       S    14:19   0:00  \_
> /usr/local/apache2/bin/httpd -DSSL -DTOMCAT -DPHP
>   apache    2522  0.0  0.1 120520 5204 ?       S    14:19   0:00  \_
> /usr/local/apache2/bin/httpd -DSSL -DTOMCAT -DPHP
>
> b) Webspace file permission have nothing to do with httpd.conf
>   It has everything to do with the OS.
>
>   What you want is:
>
>   WORLD
>
>   Make sure the files in the website can be read by the user running the
>   webserver (apache or httpd) -> make them world-readable, directories
>   executable.
>
>   Make sure the files in the website cannot be modified by the user
> running the
>   webserver (apache or httpd) -> make them not-world-writeable
>
>   GROUP
>
>   You have a special group that can change stuff (group 33). All the
> stuff
>   on the site should be owned by that group. The group must be able to
>   read and write files and to read, write, execute directories.
>   ADDITIONALLY, newly created files and directories need to 'inherit'
>   the group ownership. Set the 'group setuid' bit on the directories.
>   (chmod g+s)
>
>   Edit /etc/group and put all your user 1002 1003 1004 into that group
>   (vigr). Users should be able to modify files and directories as these
>   files and directories are writeable by group 33.
>
>   However, suppose user 1003, primary group 1003, creates a new file.
>   In that case, the file is owned by group 1003 instead of 33.
>   Not good. So we have to set the 'setuid group' flags on the
> directories.
>   That way, the directories transfer their group ownership to newly
>   created child directories (quite a hack, eh?) That flag is inherited
>   through a newly created directory hierarchy. Which is nice.
>
>   Adding the directory 'setuid group' flag is done by:
>
>   chmod g+s bar   (see the find command below)
>
>   USER
>
>   The owning user may be root for example. It's not that important.
>   Permissions may be rwx (but make sure you have no setuid root
> executables
>   in there... :-P
>
> Commands:
>
>   find /var/my/website -type f -exec chmod u=rw,g=rw,o=r '{}' ';'
>   find /var/my/website -type d -exec chmod u=rwx,g=rwxs,o=rx '{}' ';'
>   find /var/my/website -exec chown root.33 '{}' ';'
>
>
>
> No guarantees on anything....
>
> Good luck.
>


-- 
----

Krassen Deltchev
Ruhr-Universität Bochum
Medizinische Fakultät
Institut für Physiologie
Abteilung für Neurophysiologie
MA 4-155
Universitätsstrasse 150
44801 Bochum
e-mail: deltchev at neurop.rub.de
            Krassen.Deltchev at rub.de
tel.work:    0234.32.24918

More information about the redhat-list mailing list