I have an Apache web server with a few virtual hosts. The ftp is handled by proftpd, and I have multiple users defined. These users have their own uid and gid. The problem comes when Apache is uid apache and need to write to the said directory. I am wondering what other people have done to deal with this. Do people just set all the ftp users uid/gid to the same as the Apache uid/gid on the system? Obviously this would be an ok solution because apache uid/gid != root. What are the other ways you guys have dealth with this? Thanks eric
What are the other ways you guys have dealth with this? You have a multiple way to do this. For example create group "virtualhosting" Add apache, and users, whom You are hosting in this group. Chage folder group to virtualhosting and allow group writing to the folder. It' must be work ;-) Or more security solutions create groups for each virtualhosting like virtualhost1, virtualhost2,... etc and add apache user in to each of them, do chown+chmod as described above. Now apache is a member of each virtualhostNN. The user also must be a member of his personal virtualHost_USER_ ASSOSIATED group. Bouth apache and user can write to the folder. Other users can't write to this folder. Something like this. -- Best regards Alexandr R. Ogurtzoff { UNIX is user friendly, it's just picky about who its friends are }
Alexandr wrote regarding 'Re: [SLE] Apache and multiple Virtual Hosts best practices' on Fri, Nov 19 at 11:48:
What are the other ways you guys have dealth with this? You have a multiple way to do this. For example create group "virtualhosting" Add apache, and users, whom You are hosting in this group. Chage folder group to virtualhosting and allow group writing to the folder. It' must be work ;-)
Do keep in mind that this grants all users access to write to each other's folders, too. "But I can tell wh ocreates files by looking at the UID." True, but you can't tell who typed for F in `find ~userIhate/ -type f`; do echo 'owned' > $F; done or rm -r ~userIhate/ I'd guess that your typical web hosting provider would want to prevent this kind of thing... :) --Danny, chock full of bad ideas today
On Friday 19 November 2004 18:55, Danny Sauer wrote:
Do keep in mind that this grants all users access to write to each other's folders, too. "But I can tell wh ocreates files by looking at the UID." True, but you can't tell who typed for F in `find ~userIhate/ -type f`; do echo 'owned' > $F; done or rm -r ~userIhate/ I'd guess that your typical web hosting provider would want to prevent this kind of thing... :)
This is why god gave us the sticky bit chmod +t /directories or ACLs, something like setfacl -R -m g:groupofapache:rwx /directories/
Anders wrote regarding 'Re: [SLE] Apache and multiple Virtual Hosts best practices' on Fri, Nov 19 at 12:12:
On Friday 19 November 2004 18:55, Danny Sauer wrote:
Do keep in mind that this grants all users access to write to each other's folders, too. "But I can tell wh ocreates files by looking at the UID." True, but you can't tell who typed for F in `find ~userIhate/ -type f`; do echo 'owned' > $F; done or rm -r ~userIhate/ I'd guess that your typical web hosting provider would want to prevent this kind of thing... :)
This is why god gave us the sticky bit
chmod +t /directories
or ACLs, something like
setfacl -R -m g:groupofapache:rwx /directories/
Yeah, but if the goal is to give both the user and the webserver write permission, the sticky bit won't help, as one of the users involved will not be able to change files created by the other. ACLs are good. --Danny
--Danny, chock full of bad ideas today Ok... What about the second way - apache + user in the same group? You wrote
this also. BTW. That is the reason, why SUSE don't use user_group policy as default? All new users have personal group and their $HOME is owned by username:username_group. Somethig like this: ls -l /home drwx------ 52 calltop calltop 2392 Nov 18 15:05 calltop drwx------ 109 iscander iscander 6280 Nov 19 20:22 iscander drwx------ 15 maxim maxim 840 Oct 19 14:42 maxim -- Best regards Alexandr R. Ogurtzoff { UNIX is user friendly, it's just picky about who its friends are }
Eric wrote regarding '[SLE] Apache and multiple Virtual Hosts best practices' on Fri, Nov 19 at 09:10:
I have an Apache web server with a few virtual hosts. The ftp is handled by proftpd, and I have multiple users defined. These users have their own uid and gid. The problem comes when Apache is uid apache and need to write to the said directory.
I am wondering what other people have done to deal with this. Do people just set all the ftp users uid/gid to the same as the Apache uid/gid on the system? Obviously this would be an ok solution because apache uid/gid != root.
Probably the easiest solution is to put the apache user into each ftp user's group, and to tell proftpd to create new files/directories with group write permissions in the appropriate places. That gets the apache user write access, and maintains the separation of users from each other. Alternatively, you might be able to have your Apache application write over an ftp connection to the local host, rather than usign direct file access, but then you start running in to security problems if you don't plan everything properly. Or you could consider using another medium to store the data, depending on what's being stored. An SQL server or an LDAP server might work well, if those are options for your situation. *I* generally use a database for most of the situations where users and apache have to have access to the same data, when possible. --Danny, who dislikes giving apache write access to much of anything :)
your situation. *I* generally use a database for most of the situations where users and apache have to have access to the same data, when possible. yes! when it possible. And what about files? Are your store source_projerct.tgz in BLOB field? ;-) Just a joke. An idea. Is it possible to use LDAP for storing files? It may be a nice abbstarction, where accounts, access rights, priveleges and
Hi, Danny! things(pictures,files,movies etc) stored in same way. Sorry I can't select right English word. I hope you understand what I mean. -- Best regards Alexandr R. Ogurtzoff { UNIX is user friendly, it's just picky about who its friends are }
Maybe I'm missing something here, but my vhosts each have an account
associated to them. That user account's public_html directory is what is
referenced in vhosts.conf. So say www.joesgrocery.com would literally be
located in /home/joes/public_html. Then he can do as he wishes.
If this is a bad idea, someone tell me! :)
--
<<JAV>>
---------- Original Message -----------
From: "Alexandr R. Ogurtzoff"
your situation. *I* generally use a database for most of the situations where users and apache have to have access to the same data, when possible. yes! when it possible. And what about files? Are your store source_projerct.tgz in BLOB field? ;-) Just a joke. An idea. Is it possible to use LDAP for storing files? It may be a nice abbstarction, where accounts, access rights,
Hi, Danny! priveleges and things(pictures,files,movies etc) stored in same way. Sorry I can't select right English word. I hope you understand what I mean. -- Best regards Alexandr R. Ogurtzoff { UNIX is user friendly, it's just picky about who its friends are }
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com ------- End of Original Message -------
located in /home/joes/public_html. Then he can do as he wishes. If this is a bad idea, someone tell me! :) OK, why not? It's possible. Just another way. May be better then I describe. But "apache" user must have an access to $HOME/public_html in the all
directories in the comlete UNIX path. It's mean what /home/user must be a group availble for each user. It mean user1 can browse $HOME directory of user2. From another hand $HOME/public_html may be a link to /services/www/htdocs/virtual_hosts/$USER_NAME. Users upload their files by this link. And apache describe Virtual hosts by absolute path. -- Best regards Alexandr R. Ogurtzoff { UNIX is user friendly, it's just picky about who its friends are }
located in /home/joes/public_html. Then he can do as he wishes. If this is a bad idea, someone tell me! :) OK, why not? It's possible. Just another way. May be better then I describe. But "apache" user must have an access to $HOME/public_html in the all directories in the comlete UNIX path.
But it will. If you have userdir's turned on in Apache as well, you cover yourself both ways. Apache get's rights user's public_html, and the user has the ability to create his site without worry. Now he may have to set perms for execute and such but he has control and won't step on anyone else's toes. -- <<JAV>>
Alexandr R. Ogurtzoff wrote:
located in /home/joes/public_html. Then he can do as he wishes. If this is a bad idea, someone tell me! :)
OK, why not? It's possible. Just another way. May be better then I describe. But "apache" user must have an access to $HOME/public_html in the all directories in the comlete UNIX path. It's mean what /home/user must be a group availble for each user. It mean user1 can browse $HOME directory of user2. From another hand $HOME/public_html may be a link to /services/www/htdocs/virtual_hosts/$USER_NAME. Users upload their files by this link. And apache describe Virtual hosts by absolute path.
Too serve files the apache user only needs execute access to all the parent directories and read access on the files to be served or on the directory containing those files. drwxr-xr-x root root / drwxr-xr-x root root /home drwx--x--x user group /home/user drwxr-x--x user wwwrun /home/user/public_html would allow apache user (as member of wwwrun) to serve up the whole public_html directory without anyone being able to browse the contents of /home/user other than the user himself. Jason Joines =================================
* Alexandr R. Ogurtzoff;
located in /home/joes/public_html. Then he can do as he wishes. If this is a bad idea, someone tell me! :)
Not a bad idea
OK, why not? It's possible. Just another way. May be better then I describe. But "apache" user must have an access to $HOME/public_html in the all directories in the comlete UNIX path. It's mean what /home/user must be a group availble for each user. It mean user1 can browse $HOME directory of user2. From another hand $HOME/public_html may be a link to /services/www/htdocs/virtual_hosts/$USER_NAME. Users upload their files by this link. And apache describe Virtual hosts by absolute path.
Why not let users upload their files into their $HOME/public_html and then you as the admin can set a cron job say hourly which uses rsync to copy the files from the users directory to the /srv/www/VHOST dirtectory this way you doı not need to worry about the permissions in the VHOST directory -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
Alexandr wrote regarding 'Re: [SLE] Apache and multiple Virtual Hosts best practices' on Fri, Nov 19 at 12:06:
Hi, Danny!
your situation. *I* generally use a database for most of the situations where users and apache have to have access to the same data, when possible. yes! when it possible. And what about files? Are your store source_projerct.tgz in BLOB field? ;-) Just a joke.
Yup, and all text files (HTML, etc) are stored in TEXT fields with fulltext indexing enabled. Why not? ;) (yes, I'm kidding, too)
An idea. Is it possible to use LDAP for storing files? It may be a nice abbstarction, where accounts, access rights, priveleges and things(pictures,files,movies etc) stored in same way. Sorry I can't select right English word. I hope you understand what I mean.
Normally, you'd store a path to a file in the DB (MySQL, LDAP, whatever), and store the file itself somewhere on the actual filesystem. Oh, and "abstraction" is probably the correct term. :) --Danny
participants (7)
-
Alexandr R. Ogurtzoff
-
Anders Johansson
-
Danny Sauer
-
Eric Wagar
-
Jason Joines
-
Joe Polk
-
Togan Muftuoglu