[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: why are files/directories owned by www-data !?

On 26/1/2000 Brian May wrote:

I think you have to trust the webserver not to currupt its
own log files...

the way i understand it the apache parent process (which always runs as root) is responsible for writing the log files, not the children running as www-data. and since the apache parent process never services requests but rather has its children do it, it is far more difficult to exploit the parent then one of the children. if the logs are not writable by www-data then an exploited child cannot tamper with them. it would require root privileges to corrupt the logs in which case its game over anyway. I see no reason why the bar for corrupting the logs should be lowered from "gain root" to "gain www-data"

since my logs were mode 600 root.root on my redhat box and loging worked perfectly with apache running as nobody.nobody it seems obvious that there is no justification for logs owned by the unprivileged www-data user.

    Ethan> [eb@plato eb]$ grep www-data /etc/apache/httpd.conf User
    Ethan> www-data Group www-data [eb@plato eb]$

On slink, these files are owned by root:root and have 644 permission.
I don't see why www-data should own them either.

I think you misunderstood this one, the config files are root.root mode 644, i was just showing that apache did indeed run as www-data.

This is where it becomes interesting, and while I disagree with
why it is done that way, I can tell you why it was done that way ;-).

There are 4 conflicting requirements:

1. the web server MUST be able to read stuff stored in /var/www

2. the web server shouldnt have write access to /var/www/*

3. certain data under /var/www might be password protected, and not
open to public.

4. users shouldn't have to log in as root or www-data in order to
change web pages.

here is my suggestion:

/var/www should be owned by root.www-data and be mode 2755, any subdirectories which a local user becomes responsible for maintaining should be chowned to that user retaining the www-data group and setgid permission, this way all files created have the group set to www-data and any private password protected files only need to be set to mode 640.

this satisfies 1 since the setgid bit ensures the server is able to read the files.

this satisfies 2 since the group does not have write permission, and the owner is either root or the regular user responsible for maintaining given part of the site.

this satisfies 3 since the group is still able to read it and the setgid bit allows the group to always be set to www-data not granting any user privileges to that group.

this satisfies 4 (which is currently not satisfied at all) since any page that a user is responsible for is owned by that user. the only thing this does not satisfy is the situation where multiple users need to maintain a given section, this can be solved in two ways at the local site: 1) if there will be no private passworded pages the group may be reset and all files be made world readable. or 2) a shared user may be used and all users who share a given section given sudo privileges to it.

However, Linux currently only allows one group per file, so
achieving all of these goals at once is impossible. I think the
apache maintainer has given priority to 1, 3, and 4 over 2.

I have just shown that all 4 can be satisfied with current permission models, the only place where there is a problem is when you have both password protected pages and multiple people maintaining the password protected pages. but that is not solved by the current model anyway so i consider that a moot point.

Personally, I would give 2 higher priority then 3, but that is
just my opinion.

definitely, I see no reasonable rational for lowering the bar for defacing the web site from "gain root" to "gain www-data" for which all apache children servicing requests run as.

Ideally, to fix this, you need two groups, eg:
www-server - readonly access to /var/www/*
www-data   - read/write access to /var/www/*

why do you need this? the current www-data group is fine just use the setgid bit to ensure its set and you need not make any user a member of it. like i said the only place this falls down is multiple users AND password protected pages.

Perhaps this will be possible with Ext3 or something.

if Ext3 adds ACL support perhaps, but i was under the impression that acls are already in the filesystem we just need kernel support.

I propose that /var/lib/dhelp be at the least chowned to root, /var/www be chowned to root and chmoded to 2755. and all apache logs be chowned root.adm and chmoded 640. (because passwords can be revealed if the user accidently enters the passwd as the username)

Ethan Benson
To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/

Reply to: