Re: Using Samba to share Apache web root, securely

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, 2011-08-08 at 21:32 -0500, Trey Dockendorf wrote:
> I'm setting up a shared web server running Apache.  Each web root will
> belong to a department, which has a corresponding Active Directory
> group to give access.  So far I've got samba working and such, but am
> having some trouble wrapping my head around the necessary permissions
> to make all this work, especially securely.  So far I've found that
> both the POSIX and the ACL permissions must both allow a user to write
> to directory which is proving problematic.  Is it better to give the
> web root directories very "loose" permissions and have Samba manage
> who can access the folders?
> 
> 
> A few options I've come across would have a user's logged in account
> mapped to the "apache" user through samba, using the "force user", but
> that seems like a security risk allowing users to be apache.  Another
> option I currently have working is using a default ACL for apache to
> give the web server read of all the files.  The problem I have with
> this is some directories require write and some files should have read
> only (like db config files), so again a global permission set doesn't
> seem to work.
> 
> 
> I'd be very interested in knowing how someone has solved a problem
> like this.
----
mkdir /var/www/html/department_a
chown root:department_a /var/www/html/department_a
chmod g+ws /var/www/html/department_a

smb.conf

[Department A Web]
        comment = Department A Web Server
        browseable = Yes # your call on this one
        writeable = yes
        path = /var/www/html/department_a
        directory mask = 775
        create mask = 664
        valid users = @department_a

That should work. If you have spaces in group names (one of the things I
love about Windows), use @"department a" 

Craig

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux