Re: Apache and umask for document root

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

On Tue, Sep 6, 2016 at 6:42 PM, Rick Stevens <ricks@xxxxxxxxxxxxxx> wrote:
> On 09/06/2016 01:25 PM, Mike Wright wrote:
>> On 09/06/2016 01:11 PM, Alex wrote:
>>> Hi,
>>>
>>> I've set up a virtual host for a joomla website and having some
>>> permissions problems. I've seen numerous configurations online about
>>> how to set umask for the apache user, but none have worked, including
>>> creating a systemd file
>>> (/etc/systemd/system/multi-user.target.wants/httpd.service) with the
>>> following:
>>
>>> Umask=0006  <<<<<<<<  ?
>>
>> That comes out to 771 : rwxrwx--x.  Maybe 0002 ?
>
> Apache normally runs as apache:apache. Joomla is just a PHP application
> running under Apache, so if you're using mod_php, Apache is what will
> actually be doing the reading and writing of the files and the
> apache:apache user should have rwx access to the entire tree.
>
> If you're running PHP-FPM, then the user that PHP is running as should
> have own the tree and have rwx access to it, while Apache should have
> at least r-x access to the tree. You could do that by putting the PHP
> user in the apache group, giving ownership of the tree to the PHP user
> and giving group r-x privileges:
>
>         useradd -d /path/to/website -g apache phpuser
>         cd /path/to/website
>         chown -R phpuser:apache *
>         chmod -R 750 *
>
> or something like that. Also watch out for selinux denials. "Here be
> dragons!"

Some time ago, I had posted a message to this list regarding apache
permissions in a DocumentRoot with joomla. The problem I was having
was with the user doing local modifications (joomadmin) not being able
to modify files uploaded or changed by the joomla apache user
(apache).

Numerous suggestions were made, including changing all the files to be
sgid write, adding the users to a common group, and other, more
complicated recommendations.

I'm really surprised at the state of security by many of these
suggestions. In an ideal world, the apache user should have no write
ability, except perhaps to some temp directory. Instead, people are
recommending providing long-standing write permissions to the entire
DocumentRoot where the apache user can read and write virtually every
file, potentially taking down the entire website if there's ever an
apache vulnerability.

Even with that aside, the sgid option didn't work for me because the
umask is still 0022, which creates new directories without write
permission for the group. I've searched and searched, and there does
not appear to be a working solution to changing the umask for the
apache user in fedora24.

Other suggestions involve basically an suid script (suPHP), but it
seems complicated and security-prone. Another called PHP-FPM looks
very involved and also isn't included with the default apache install
due to security implications.

The suPHP option seems quite old, with no updates since 2013 that I
can find. I'm open to the PHP-FPM option, but I wanted to first ask
the list how they're handing the situation?

Are you making the remote user (sFTP, etc) the same as apache? Are you
using PHP-FPM? If so, is there a Fedora guide you recommend? Are you
changing the umask to be able to put the two users in the same group?
If so, how? I tried editing the unit service but that didn't have any
effect.

Any ideas greatly appreciated.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx



[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux