On 10/27/2016 05:48 PM, Alex wrote: > Hi, > >>>> To only way to verify the change "took" is to have the httpd process >>>> create a file and check the mode of the file created. >>> >>> Yes, thanks. I still need to test it for joomla through the apache >>> user, but as I mentioned in a previous email a few minutes ago, it >>> still appears to be 0022. >>> >>> How is it set for the normal user? I've modified /etc/bashrc (and even >>> /etc/profile), and the apache user doesn't have a .bashrc or >>> .bash_profile, and it's still 0022. >> >> Where did you set it? By default /etc/profile changes the umask for >> interactive shells to 0002 under the following criteria: >> >> if the user ID is > 199 AND >> the EUID (by name) is the same as the EGID (by name) > > I misinterpreted that when I first read it. > >> Otherwise the umask is set to 0022. By default, /etc/bashrc does >> precisely the same for _non-login_ bash shells. >> >> Just to prove you can change the umask via /etc/profile: >> >> [root@prophead ~]# su - apache -s /bin/bash -c "umask" >> 0022 >> [root@prophead ~]# echo "umask 0002" >>/etc/profile >> [root@prophead ~]# su - apache -s /bin/bash -c "umask" >> 0002 >> >> Note that this affects ALL users' interactive shells, so delete that >> line we just added from the end of /etc/profile as soon as possible >> after you're satisfied it works. >> >> I'd highly recommend you add code to both /etc/profile and /etc/bashrc >> to selectively change the umask for the apache user (on my machine, >> that's UID 48). > > This is what I've done now, and it works well, thanks. > >>> This is important because the "joomadmin" user will be manipulating >>> these files via sFTP or scp. >>> >>> I've also tried modifying the Subsystem variable to first set the >>> umask before running /usr/libexec/openssh/sftp-server, and the Windows >>> sFTP client they're using apparently can't handle this. >> >> Uh, how? The /etc/ssh/sshd_config line should read: >> >> Subsystem sftp /usr/libexec/openssh/sftp-server -u 0002 >> >> and you must restart sshd via "systemctl restart sshd.service" as >> /etc/ssh/sshd_config is only read when sshd starts up. > > I had set umask prior to spawning sftp-server, as in 'umask 0002; > /usr/libexec/openssh/sftp-server'. Yeah, that's wrong. The "-u 0002" option to the sftp-server is there specifically to handle this sort of thing. > This whole issue started with trying to figure out which is the > preferred method for managing access to files by apache and a web > admin. > > Many recommended suPHP, while others recommended other, more > complicated modules like PHP-FPM. I was surprised there was no more > comprehensive joomla or apache doc with recommended best practices or > as part of their security documentation that described more clearly > how best to secure the DocumentRoot while allowing remote access by > other users. PHP-FPM isn't that complicated. PHP runs as a completely separate process (under its own user and group) from Apache. Apache communicates with it via either IP or Unix sockets. Therefore the files that php deals with can have completely different owners and groups and permissions from what Apache has. If you want to use the worker-thread model of Apache, you MUST use PHP-FPM because PHP isn't thread-safe (well, PHP itself is thread- safe...some of the libraries used in PHP aren't). In fact, the PHP stuff doesn't even have to be on the same physical machine as Apache. We actually have a set of systems that do nothing but run PHP and Apache on the web nodes "talk" to them via IP sockets. We can keep things separate that way and grow the number of PHP machines to handle workloads (they're behind a load balancer with "sticky" mode set). ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@xxxxxxxxxxxxxx - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - Denial. It ain't just a river in Egypt anymore! - ---------------------------------------------------------------------- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
