[olug] secure lamp configuration research

Noel Leistad noel at metc.net
Tue Jul 22 13:18:20 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kevin wrote:
| One option would be to have everything under /var/www/html or wherever
| owned by the user who created it(user1,user2,etc). Turn on the setgid
| bit for /var/www/html and set that directory's group to webmasters,
| which anyone who is authorized to update the website is a part of .
| Set permissions as you described.
|
| This will provide tracking of who created a file, while still letting
| anyone authorized to update it.
|
| What this won't solve is if several groups are to be permitted to
| update it, while others are not i.e. management and webmasters, while
| a general it-group cannot update it. It also won't tell you who was
| the last person to modify it.
|
| If this isn't what you were referring to, then you'll have to clarify
| your question; I tried my best to identify and answer the question
| asked.

Appreciate the answer.

Guess my question is more of a "nagging concern". Apache using vhosts.
Currently DON'T host any dynamic content. My extreme case scenario would
~ be 2500 sites running some combination of wordpress/drupal/mediawiki
et al that ALL HAVE group-write permissions. Now, in reality, more like
50-100 sites, but the issue remains, and I don't want to get into
trouble if larger scale happened.....

I'm uncomfortable w/ making all sites www-data and giving group-write to
all. Apache runs "solo" w/ own user/group; when I want to enable
"group-write" do I add www-data to apache group? do I add apache to
www-data group? I live on OPPOSITE end of spectrum as a php sage, so,
when I stumble across php setting "open_basedir" I'm not sure if it
satisfies my concerns, or just gives me "good feeling" and leaves me
open to serious badness as I go forward....


- --
#######################################################
#  Noel Leistad                                       #
#  noel at metc.net                                      #
#######################################################



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFIhd4YOOK3iqPtSz8RAvHtAKCPHoCy4KygTatqH59IC2uMHsAuuQCdGW1V
KevpUvZrGrbi/XGurON6HkI=
=Jx1g
-----END PGP SIGNATURE-----



More information about the OLUG mailing list