Thoughts On Apache Permissions

English Network/Internet
1

Long time, no post! But I figured I’d run this past the gurus here to get some ideas.

We have a Web server running an older version of OpenSUSE 11. I’m upgrading it as we speak. I figured I’d take that opportunity to address some irritating issues with permissions and access.

We have two virtual servers:

www.company.com

, and forums.company.com. They work splendidly. The DocRoot on these are the folders /home/www/public_html and /home/phpbb3/public_html. In the Home directory, we also have user folders, accessed with the usual “/~username” syntax (and of course, once again, their content is in their own “public_html” folder). Everything works fine at present, but I want to tighten up the permissions a bit. Right now, we occasionally have people logging in with WinSCP or some similar program accidentally clobbering a file in a different directory.

(Doesn’t happen often, so I’ve let it slide for now, but like I said, I figured I might as well address that while I’m upgrading the OS. And just for the record, I didn’t originally set up this Web server. I inherited it – and the permission structure that my predecessor had used.) :slight_smile:

Let’s say /home has these folders, all of which have a “public_html” with content exposed to the Internet:

/home/www
/home/forums
/home/joe
/home/stephen
/home/tommy

One of the things that my predecessor was doing was creating a user each time we added a folder. For example, if we created unique content for Advertiser1, he’d get a /home/Advertiser1 directory with a “public_html” folder. While I want to keep the current directory structure, the truth is, “Advertiser1” will never, ever log into our Web server. Only admins make changes.

How would you do the groups/ownership to ensure that:

  1. Only the admin group can access /home/www (or any of the other “special” folders, not listed above).
  2. Only I can access /home/forums. I’m the admin for our forums.
  3. The admin group OR the users (joe, stephen and tommy) can access the public_html section of their own home directories.

It’s not really that big of a deal – the enterprise versions usually set up a per-user group, ie., a group that has the same name as the user, and each user’s folder is owned by that group. I can simply make sure that the admins are in that group. But I was curious as to what some of you folks here think, those of you who run Webservers (most of which are considerably larger than mine). :slight_smile:

Suggestions? I deeply appreciate it.

2

I have not studied your situation in depth, but I fail to see why you have all those personal webroots in peoples home directoriues when those useers in fact do not exists. Those personal public_html thingy are invented to give end-users the ability to maintain their own web pages (which of course also gives them responsabilities).

The “norma” case is centraly maintained web space(s) from e.g. /srv/www where the web manager (often having www as group, the same group as the apache processes use) is owner. The web manager can of course also have different web roots (as configured in Apache) within /www or elsewhere on the system.

My idea is that you are using the “end-users in their home directories” solution for something it is not designed for. Generaly, using things for what they are not designed for may work, with time you may be able to keep it working) often by doing strange things), but in the end it will backfire.

3

smpoole7 wrote:
> want to tighten up the permissions a bit. Right now, we occasionally
> have people logging in with WinSCP or some similar program accidentally
> clobbering a file in a different directory.

I don’t think you provided enough data to give an explicit answer, but
it sounds like you just need to tighten the permissions that those users
are granted to stop that problem.

> /home/www
> /home/forums
> /home/joe
> /home/stephen
> /home/tommy
>
> One of the things that my predecessor was doing was creating a user
> each time we added a folder. For example, if we created unique content
> for Advertiser1, he’d get a /home/Advertiser1 directory with a
> “public_html” folder. While I want to keep the current directory
> structure, the truth is, “Advertiser1” will never, ever log into our Web
> server. Only admins make changes.

You can mark those accounts so they cannot be logged into.

> How would you do the groups/ownership to ensure that:
>
> 1. Only the admin group can access /home/www (or any of the other
> “special” folders, not listed above).
> 2. Only I can access /home/forums. I’m the admin for our forums.
> 3. The admin group OR the users (joe, stephen and tommy) can access
> the public_html section of their own home directories.

I think the basic thing I would do is set up a separate user for each
home directory, and then set up as many different groups as necessary to
give separate access rights to each portion of the tree.

> It’s not really that big of a deal – the enterprise versions usually
> set up a per-user group, ie., a group that has the same name as the
> user, and each user’s folder is owned by that group. I can simply make
> sure that the admins are in that group. But I was curious as to what
> some of you folks here think, those of you who run Webservers (most of
> which are considerably larger than mine). :slight_smile:

The only addition I can think of to what you already propose is that it
would be possible for each ~xxx/public_html directory to have its own
group, different to the group of ~xxx, if you wanted to prevent admins
from accessing other files in the users’ home directories. Or
equivalently, create a separate group ‘xxx_private’ for each user to use
elsewhere in their directory tree. But I don’t know whether you want
that degree of separation.

4

Thanks for both replies. After thinking about it, and after reading your replies, the current server layout is ridiculously complex. I’m going to move most of the stuff into /srv/www and make do with that.

Thanks again. Sometimes just asking helps clarify one’s thoughts. :slight_smile:

5

A comment…

Your question and as much info as you posted suggests a “home grown” solution which is as you say exceedingly dangerous and prone to errors on many levels, any one which can be catastrophic.

I highly recommend buuilding, then migrating to any of the many CMS frameworks which automatically support any web functions you want like private webs, forums, repositories and built on application level security instead of exposing your system to system level access.

Three frameworks I’ve tested or deployed on openSUSE are Drupal, ocportal and projekt plus other similar systems plone and wikipedia. There many others, too to choose from which are all vastly better than anything home grown.

IMO,
Tony

6

I agree, it is often awfully important to discuss your setup with others. They often come with suggestions you never would have thought about yourself. That is true for all of us.

One more suggestion (just a wild one). If your web pages consume a considerable amount of disk space, are important among the functions of that system, should survive easily a system update, consider putting them on a separate partition (mounted on e.g.* /srv/www,* or another place with a symbolic link). It will give you the same advantages as discussed here often for a separate /home. And at the same time making it easy to move around with that data to e.g. another disk in the future.
Just a suggestion. It is allways difficult to foresee the future (well, something you did know allready :wink: ) and especialy when designing a system for it’s specific tasks.

7

hcvv wrote:

> One more suggestion (just a wild one). If your web pages consume a
> considerable amount of disk space, are important among the functions of
> that system, should survive easily a system update, consider putting
> them on a separate partition (mounted on e.g.- /srv/www,- or another
> place with a symbolic link). It will give you the same advantages as
> discussed here often for a separate -/home-. And at the same time making
> it easy to move around with that data to e.g. another disk in the
> future.

Sounds a sensible idea. If you take it up, you should also remember the
config files in /etc/apache2. You could put those in the same partition
as the data for the sites, or at least mirror a backup copy onto that
device.

8

Yes, a mirror with rsync of any file that is important for running the web-site on that disk/partition is a very good idea! Run that rsync once a day through cron and you are able to take the complete site elsewehere.

9

That’s exactly what it is/was. Like I said, I inherited this from someone else. The use of Virtual Servers when there was no clear need to do so is just one thing.

Again, thanks for the replies. I might look into Drupal.

10

IMO if you understand the virtualization technology that is a good option.

But the type of web application you describe is extremely difficult to write properly from scratch.

Tony