Re: Apache and umask for document root

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 09/07/2016 03:19 PM, Rick Stevens wrote:
> On 09/07/2016 01:38 PM, Emmett Culley wrote:
>> On 09/07/2016 11:08 AM, Rick Stevens wrote:
>>> On 09/07/2016 10:26 AM, Alex wrote:
>>>> Hi,
>>>>
>>>> On Tue, Sep 6, 2016 at 6:42 PM, Rick Stevens <ricks@xxxxxxxxxxxxxx> wrote:
>>>>> On 09/06/2016 01:25 PM, Mike Wright wrote:
>>>>>> On 09/06/2016 01:11 PM, Alex wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I've set up a virtual host for a joomla website and having some
>>>>>>> permissions problems. I've seen numerous configurations online about
>>>>>>> how to set umask for the apache user, but none have worked, including
>>>>>>> creating a systemd file
>>>>>>> (/etc/systemd/system/multi-user.target.wants/httpd.service) with the
>>>>>>> following:
>>>>>>
>>>>>>> Umask=0006  <<<<<<<<  ?
>>>>>>
>>>>>> That comes out to 771 : rwxrwx--x.  Maybe 0002 ?
>>>>
>>>> That still didn't work. It must not be reading that httpd.service file.
>>>>
>>>> -bash-4.3$ umask
>>>> 0022
>>>>
>>>>> Apache normally runs as apache:apache. Joomla is just a PHP application
>>>>> running under Apache, so if you're using mod_php, Apache is what will
>>>>> actually be doing the reading and writing of the files and the
>>>>> apache:apache user should have rwx access to the entire tree.
>>>>>
>>>>> If you're running PHP-FPM, then the user that PHP is running as should
>>>>> have own the tree and have rwx access to it, while Apache should have
>>>>> at least r-x access to the tree. You could do that by putting the PHP
>>>>> user in the apache group, giving ownership of the tree to the PHP user
>>>>> and giving group r-x privileges:
>>>>>
>>>>>         useradd -d /path/to/website -g apache phpuser
>>>>>         cd /path/to/website
>>>>>         chown -R phpuser:apache *
>>>>>         chmod -R 750 *
>>>>
>>>> The problem is then when the apache user, through the joomla admin
>>>> front-end, needs to make changes (upload new module, etc) and the
>>>> group doesn't have write privileges.
>>>>
>>>> I could sgid the directory, or write a cron script that changes all
>>>> the permissions back as one user suggested (horrible idea), but making
>>>> all the files and directories group-writable for user apache is a bad
>>>> idea if the apache daemon (or joomla running as the apache user) gets
>>>> compromised, resulting in a shell. This is the problem I'm trying to
>>>> avoid.
>>>
>>> This is the inherent flaw in any application that permits self-
>>> modification such as Joomla, FrontPage, CPanel, etc. You will have to
>>> relax permissions at some point to permit the self-modifications and
>>> potentially open a Pandora's box of hacks and security nightmares.
>>>
>>> You can obviate those by only permitting uploads to a restricted
>>> area and having another, privileged process independently move things
>>> to the appropriate spots periodically.
>>>
>>> Another option is to run the whole mess in a chrooted jail (or at least
>>> the bits that do the self-modification). Again, going to the PHP-FPM
>>> model, run the PHP instance in the chroot jail. If the account is
>>> compromised, then they couldn't damage anything except the parts of
>>> the web service inside the jail that are writable by PHP.
>>>
>>> Belts, suspenders, a haz-mat suit and a full-body condom are your best
>>> defense.
>>>
>> Yep, it is a flaw in such frameworks.  However most of these permission issues could be resolved if I could get apache to retain the group write privileges upon file creation, which setting apache's UMASK to 0002 would fix.
>>
>> So isn't that possible?  I've tried all of the method I've found, including the one above, and nothing seems to make it happen.
> 
> I know you've futzed with the systemd things, but did you modify the
> /usr/lib/systemd/system/httpd.service file (which is the target of the
> symlink "/etc/systemd/system/multi-user.target.wants/httpd.service")
> and modified the two lines that read:
> 
> 	ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
> 	ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
> 
> to read:
> 
> 	ExecStart=umask 002;/usr/sbin/httpd $OPTIONS -DFOREGROUND
> 	ExecReload=umask 002;/usr/sbin/httpd $OPTIONS -k graceful
> 
> (insert "umask 002;" between the "=" and the command). Just stuffing
> "umask 002" into the file itself will change it for the systemd script,
> but not necessarily the subshells that are forked to actually spawn the
> apache process (not 100% sure of that...not sure how systemd forks
> things). Note that running "umask" in a separate shell will tell you
> the umask of the shell you ran "umask" in...not the one running Apache.
> 
> In ye olde days you could edit the "/etc/login.defs" file and put in a
> line that read:
> 
> 	QUOTAS_ENAB yes
> 
> Then you had to modify the /etc/passwd entry for the apache user and put
> "K002" in the GECOS field, e.g.
> 
> 	Old:
> 		apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
> 
> 	New:
> 		apache:x:48:48:Apache K002:/usr/share/httpd:/sbin/nologin
> 
> This may not work as it typically only affects processes that have been
> spawned by login and only if login pays attention to the GECOS key
> fields.
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer, AllDigital    ricks@xxxxxxxxxxxxxx -

That didn't help either:

Sep 07 14:19:51 horse-magazine.info systemd[1]: Reloaded The Apache HTTP Server.
Sep 07 16:35:47 horse-magazine.info systemd[1]: [/usr/lib/systemd/system/httpd.service:10] Executable path is not absolute, ignoring: umask 002;/usr/sbin/httpd $OPTIONS -DFOREGROUND
Sep 07 16:35:47 horse-magazine.info systemd[1]: [/usr/lib/systemd/system/httpd.service:11] Executable path is not absolute, ignoring: umask 002;/usr/sbin/httpd $OPTIONS -k graceful
Sep 07 16:35:47 horse-magazine.info systemd[1]: [/usr/lib/systemd/system/httpd.service:20] Unknown lvalue 'umask' in section 'Service'
Sep 07 16:35:47 horse-magazine.info systemd[1]: httpd.service has no ExecStart= setting, which is only allowed for Type=oneshot services. Refusing.

Emmett
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org



[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux