3

I have an apache web server set up where multiple people have their websites hosted, mostly php based websites.

The problem is, when these people upload their website files, it has read permissions for all, so everybody can read everybody's files, including files that include database user data which can be very dangerous.

They ssh into the server and 'cat' other people's files, but even disabling SSH won't solve the problem because they can publish a php code that does something like this

echo file_get_contents( '/home/someotheruser/public_html/config.php' );

What's the best approach for solving this?

Improve this question
5
  • As far as I know, the best solution is sandboxing (virtual machine for each client). However there may be some solution around umask. Commented Mar 16, 2014 at 2:23
  • How are these users authenticating? Are they all in the same group? What OS are you running? Why do they have read access to other user's directories in the first place? Commented Mar 16, 2014 at 2:28
  • Read access is necessary because apache needs to read these files, and what's even worse some do CHMOD 777 to their files for wordpress and other apps. It's a Debian box. Commented Mar 16, 2014 at 2:38
  • @terdon they're authenticating via SSH and FTP. I wouldn't mind disabling SSH but it still wouldn't solve the problem as mentioned in the question. Commented Mar 16, 2014 at 2:45
  • What user and group is Apache running as? Read access to other users is not necessary, only read access by the Apache daemon. If your users go and muck up the permissions, it's a human problem, but they shouldn't have to do that. Commented Mar 16, 2014 at 2:59

1 Answer 1

Reset to default
2

The only 2 methods I'm aware of where you can set this up so that Apache can see X number of users' content, but these same users are blind to each others' content is to use a separate Unix group for each user, that Apache is a member of as well or through ACLs.

Method #1 - using groups

Simply put each user into their own unique group (group1, group2, etc.). Then add Apache to each of these groups. This can be done using chgrp and chmod to give the directories and files the appropriate groups + permissions. You'll likely want to set the GUID bit on these directories as well, so that any new files that are added have the appropriate group assigned automatically.

NOTE: This method can be broken by the users fairly easily, not irrevocably broken, just broken so that their files can no longer be seen by Apache. I'd suggest providing them with a few aliases or scripts to help maintain their directories.

Method #2 - using ACLs

You can add Apache's group ID to each user's directories of content like so.

Example

$ whoami
saml

$ groups
saml wheel wireshark

setup a directory with perms + ownerships

$ sudo mkdir --mode=u+rwx,g+rs,g-w,o-rwx somedir
$ sudo chown saml.apache somedir
$ ll -d somedir/
drwxr-s---. 2 saml apache 4096 Feb 17 20:10 somedir/

before

$ ll -d somedir
drwxr-s---. 2 saml apache 4096 Feb 17 20:46 somedir

set permissions

$ sudo setfacl -Rdm g:apache:rx somedir
$ ll -d somedir/
drwxr-s---+ 2 saml apache 4096 Feb 17 20:46 somedir/

Notice the + at the end, that means this directory has ACLs applied to it.

$ getfacl somedir
# file: somedir
# owner: saml
# group: apache
# flags: -s-
user::rwx
group::r-x
other::---
default:user::rwx
default:group::r-x
default:group:apache:r-x
default:mask::r-x
default:other::---

after

$ touch somedir/afile
$ ll somedir/afile 
-rw-r-----+ 1 saml apache 0 Feb 17 21:27 somedir/afile
$

Notice with the default permissions (setfacl -Rdm) set so that the permissions are (r-x) by default (g:apache:rx). This forces any new files to only have their r bit enabled.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.