file permission security worries

[Carlo Gambino]

I wasn't sure if I should make this a new thread, apologies if not.

The mention of file permission security came up while I'm working to configure my server. Currently, Apache looks for web files in /var/www which is owned by user and group root. The only other user set up on the machine currently is called administrator, and will only be used during setup and repair of the server.

I presume it's more secure to chown of the directory than to add more users to the root group?

This would not change Apache's view of the files it's serving, it would simply change the permission of what users are able to do what to the files- right?

[topdog]

You can have the files owned by the apache user if you want. why would you want to give users root group permissions

[ralic]

As a starting point, let's assume you plan to add multiple users to your server and each will have a home dir of /home/user1 /home/user2 etc. Let's further assume that their web page will be http://yourserver/user1 http://yourserver/user2 etc.

Within each home dir, you can create a www dir, so the path to the user's web site in the filesystem would be /home/user1/www/. In this dir the user can create their web pages.

From the sysadmin perspective you would need to create a config file for the user in the apache configuration area /etc/apache2/conf.d. Probably a good idea to create a template file that you can copy to a file with the name of the user and further customise. As a minimum you would probably want:

Code:

Alias /user1/ /home/user1/www/
<Directory /home/user1/www/>
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

Reload postfix for it to become active:

Code:

sudo /etc/init.d/apache2 reload

Put a basic index.html in /home/user1/www and visit http://yourserver/user1 to see it.

If each user has their own domain name or you're planning on something like http://user1.server.name then you need to go for virtualhosts, which is not that very different. Create a config file for the user in the apache configuration area /etc/apache2/sites-available. Again, at a minimum:

Code:

<VirtualHost *>
Servername user1.server.name
DocumentRoot /home/user1/www
#
ErrorLog /var/log/apache2/user1-error.log
CustomLog /var/log/apache2/user1-access.log combined
#
Alias /user1/ /home/user1/www/
<Directory /home/user1/www/>
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>
</VirtualHost>

The virtualhost site must be enabled. Substitute user1 below for the name of the file in /etc/apache2/sites-available:

Code:

sudo a2ensite user1

Use a2dissite to disable them. Don't forget to reload apache to make the site available.

Also don't forget to set up the DNS entries if you plan to use virtualhosts.

This should let you achieve the objective, but not need to worry about file permissions or messing around in /var/www.
Of course, this is all just a quick hack to show you what can be done. You must review the apache docs to make sure that you secure your system properly and that you don't inadvertently open any security holes into it.

[topdog]

You could just use

Code:

UserDir www

[ralic]

Quote:

Originally Posted by topdog

You could just use

Code:

UserDir www

That's where experience counts. I'm glad there's already a builtin shortcut.

[Carlo Gambino]

Thanks again for the input! I think the way to go will be via virtualhosts. Currently, I am only doing this to learn, but I'd like to be hosting a few sites live, and I presume this would be the most secure option.