[olug] secure lamp configuration research

Jordan Fox vmifox at gmail.com
Tue Jul 22 13:42:21 UTC 2008 

I'm not sure how this will play with Apache, but a lesser known fact is that
you can actually implement full access controls lists on files and
directories in Linux.  This would give the most granular control to a
file/directory because you can give any group number of groups and users any
type of access they require to a given file or directory.  You can even set
default ACLs on the directory that all newly created files will inherit.
This would allow more than one group to have read/write/execute access to a
given directory, while allowing other groups to have only read, and others
to have no access at all.  The ACL will have no affect on the traditional
Linux permissions.  Using ACLs, you only set ACLs on files and directories
that you want to have an ACL - i.e. you don't need to set ACLs on every
file/directory on the system.

The software package is simply called acl.  It has 2 main commands (I've
only used 2 anyway) setfacl and getfacl.  setfacl allows you to create,
modify, and delete an ACL on a file or directory while getfacl displays the
ACL.  Excerpt from a lesson plan I wrote.  It shows basic usage of the
commands.  Of course, the man page has a good explanation:

"Use the acl package to set true acl permissions on files and directories:

Change permissions on a file or directory:

setfacl –m g:<group name>:[rwx],u:<username>:[rwx] <filename>

Change permissions on a directory so that all files and subdirectories
created have the permissions of the parent directory

setfacl –d –m g:<group name>:[rwx],u:<username>:[rwx] <directoryname>

or

setfacl –m d:g:<group name>:[rwx],d:u:<username>:[rwx] <directoryname>

the order of group and user do not matter… both user and group aren't
required either… the group and the user attributes can be set alone.

Get the acl for a given file:

getfacl <filename>

Remove the acl (except the traditional unix permissions) from a file:

setfacl –b <filename>

Remove the default acl (except the traditional unix permissions) from a
directory:

setfacl –k <filename>

Can also remove individual groups or modify the permissions

Remove a group from the acl

setfacl –x g<groupname> <filename>

getfacl and setfacl are very powerful with many ways of manipulating the
acls of files and directories.  This shows the basic usage of the tools."

It should work with Apache, if you set up logins.  Without having users log
in, I'm not sure how it would work though.  I have only minimal experience
configuring Apache - and none with ACLs.

Hope this helps,
Jordan

On Tue, Jul 22, 2008 at 8:18 AM, Noel Leistad <noel at metc.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Kevin wrote:
> | One option would be to have everything under /var/www/html or wherever
> | owned by the user who created it(user1,user2,etc). Turn on the setgid
> | bit for /var/www/html and set that directory's group to webmasters,
> | which anyone who is authorized to update the website is a part of .
> | Set permissions as you described.
> |
> | This will provide tracking of who created a file, while still letting
> | anyone authorized to update it.
> |
> | What this won't solve is if several groups are to be permitted to
> | update it, while others are not i.e. management and webmasters, while
> | a general it-group cannot update it. It also won't tell you who was
> | the last person to modify it.
> |
> | If this isn't what you were referring to, then you'll have to clarify
> | your question; I tried my best to identify and answer the question
> | asked.
>
> Appreciate the answer.
>
> Guess my question is more of a "nagging concern". Apache using vhosts.
> Currently DON'T host any dynamic content. My extreme case scenario would
> ~ be 2500 sites running some combination of wordpress/drupal/mediawiki
> et al that ALL HAVE group-write permissions. Now, in reality, more like
> 50-100 sites, but the issue remains, and I don't want to get into
> trouble if larger scale happened.....
>
> I'm uncomfortable w/ making all sites www-data and giving group-write to
> all. Apache runs "solo" w/ own user/group; when I want to enable
> "group-write" do I add www-data to apache group? do I add apache to
> www-data group? I live on OPPOSITE end of spectrum as a php sage, so,
> when I stumble across php setting "open_basedir" I'm not sure if it
> satisfies my concerns, or just gives me "good feeling" and leaves me
> open to serious badness as I go forward....
>
>
> - --
> #######################################################
> #  Noel Leistad                                       #
> #  noel at metc.net                                      #
> #######################################################
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFIhd4YOOK3iqPtSz8RAvHtAKCPHoCy4KygTatqH59IC2uMHsAuuQCdGW1V
> KevpUvZrGrbi/XGurON6HkI=
> =Jx1g
> -----END PGP SIGNATURE-----
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
>



-- 
"Do not be anxious about anything, but in everything, by prayer and
petition, with thanksgiving, present your requests to God. And the peace of
God, which transcends all understanding, will guard your hearts and minds in
Christ Jesus." Phil 4:6-7

"The shortest distance between a problem and a solution is the distance
between your knees and the floor." Anonymous

More information about the OLUG mailing list