Re: Apache and umask for document root

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

>>> To only way to verify the change "took" is to have the httpd process
>>> create a file and check the mode of the file created.
>>
>> Yes, thanks. I still need to test it for joomla through the apache
>> user, but as I mentioned in a previous email a few minutes ago, it
>> still appears to be 0022.
>>
>> How is it set for the normal user? I've modified /etc/bashrc (and even
>> /etc/profile), and the apache user doesn't have a .bashrc or
>> .bash_profile, and it's still 0022.
>
> Where did you set it? By default /etc/profile changes the umask for
> interactive shells to 0002 under the following criteria:
>
>         if the user ID is > 199 AND
>         the EUID (by name) is the same as the EGID (by name)

I misinterpreted that when I first read it.

> Otherwise the umask is set to 0022. By default, /etc/bashrc does
> precisely the same for _non-login_ bash shells.
>
> Just to prove you can change the umask via /etc/profile:
>
>         [root@prophead ~]# su - apache -s /bin/bash -c "umask"
>         0022
>         [root@prophead ~]# echo "umask 0002" >>/etc/profile
>         [root@prophead ~]# su - apache -s /bin/bash -c "umask"
>         0002
>
> Note that this affects ALL users' interactive shells, so delete that
> line we just added from the end of /etc/profile as soon as possible
> after you're satisfied it works.
>
> I'd highly recommend you add code to both /etc/profile and /etc/bashrc
> to selectively change the umask for the apache user (on my machine,
> that's UID 48).

This is what I've done now, and it works well, thanks.

>> This is important because the "joomadmin" user will be manipulating
>> these files via sFTP or scp.
>>
>> I've also tried modifying the Subsystem variable to first set the
>> umask before running /usr/libexec/openssh/sftp-server, and the Windows
>> sFTP client they're using apparently can't handle this.
>
> Uh, how? The /etc/ssh/sshd_config line should read:
>
>         Subsystem       sftp    /usr/libexec/openssh/sftp-server -u 0002
>
> and you must restart sshd via "systemctl restart sshd.service" as
> /etc/ssh/sshd_config is only read when sshd starts up.

I had set umask prior to spawning sftp-server, as in 'umask 0002;
/usr/libexec/openssh/sftp-server'.

This whole issue started with trying to figure out which is the
preferred method for managing access to files by apache and a web
admin.

Many recommended suPHP, while others recommended other, more
complicated modules like PHP-FPM. I was surprised there was no more
comprehensive joomla or apache doc with recommended best practices or
as part of their security documentation that described more clearly
how best to secure the DocumentRoot while allowing remote access by
other users.

Meanwhile, a security vulnerability in apache leading to a shell means
it then has complete write access to the site.

Gordon Messmer wrote:
> Assume that we don't know what your process is, and be specific
> about how you're uploading new modules, please.

I'm referring to the procedure typically used by joomla admins through
the web-based admin interface included with joomla. It logs in as a
system user then I believe uses sftp to upload files from the local
desktop or somewhere on the joomla system.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx



[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux