Re: Root-like filesystem permissions.

To: Nathan Ollerenshaw <chrome@stupendous.net>
Cc: debian-isp@lists.debian.org
Subject: Re: Root-like filesystem permissions.
From: Wade Richards <wade@wabyn.net>
Date: Thu, 31 Jul 2003 19:07:31 -0700
Message-id: <[🔎] E19iPKN-0004Gr-00@wabyn.net>
In-reply-to: Message from Nathan Ollerenshaw <chrome@stupendous.net> of "Fri, 01 Aug 2003 10:00:27 +0900." <[🔎] 8A67255D-C3BB-11D7-921F-000A95A07AB8@stupendous.net>

Hi,

Maybe I'm not understanding your problem, but can't you use group
membership for this?

If you give every user their own group (like Debian does by default),
and have every file with permissions 640 (or 750 for exeutables), then
have the "www" user be a member of ALL the user groups, that should
work.

The solution should be secure, because for a file owned by user
"example", it will be readable by group "example", but the only members
of that group are the user "example" and the user "www".

There may be an operating system limit on the number of groups a 
single user can be a member of, but as long as you don't hit that
limit (if it even exists), you should be OK.

    --- Wade

On Fri, 01 Aug 2003 10:00:27 +0900, Nathan Ollerenshaw writes:
>Hi there,
>This sounds like an apache question, but it's really more general than 
>that.
>
>Firstly, some background. I manage a small shared hosting system with a 
>few hundred websites on it.
>
>Currently, I use Apache 1.3 to serve the pages (can't use 2.0 just yet) 
>and every site has a docroot located in a directory structure such as:
>
>	/web/ab/cd/example.com/www
>
>The apache daemon runs as a "www" user and group, and everyone domain 
>has a unique userid and groupid assigned to it. The apache daemon runs 
>in a chroot. (Therefore, the /etc/passwd and /etc/group entries for 
>user sites only exist in the chroot - so that CGIs will work correctly).
>
>This works fine, however it has some flaws.
>
>Currently, permissions on the customer directories need to be lax 
>enough for the apache daemon to read the files. This means at least 771 
>for the docroot (which disables multi).
>
>What I would LIKE is to have all permissions on customer files and 
>directories to be 700 or 600 respectively (except for executable CGIs 
>of course).
>
>However, to do this, I'll need to run Apache as root, inside the 
>chroot. This is not desirable, because I have read that it is possible 
>to break out of a chroot if the attacker gets root inside it.
>
>So.
>
>What I am after is a way of making the Apache daemon's user (www:www) 
>have root-like filesystem permissions.
>
>I know there is a LOT of stuff added to the 2.4 kernels with regards to 
>fine grained permissions, but I don't know where to start, and whether 
>or not this is feasible. Has anyone else done this at their ISP? Should 
>I be looking at a different solution?
>
>Thanks for taking the time to read this quite lengthy email :) Any 
>suggestions are appreciated.
>
>Regards,
>
>Nathan.
>
>-- 
>The language and concepts contained herein are guaranteed
>not to cause eternal torment in the place where the guy with
>the horns and pointed stick conducts his business.
>
>
>-- 
>To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
>with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

Reply to:

Follow-Ups:
- Re: Root-like filesystem permissions.
  - From: Nathan Ollerenshaw <chrome@stupendous.net>
- Re: Root-like filesystem permissions.
  - From: Fraser Campbell <fraser@wehave.net>

References:
- Root-like filesystem permissions.
  - From: Nathan Ollerenshaw <chrome@stupendous.net>

Prev by Date: Root-like filesystem permissions.
Next by Date: Re: Root-like filesystem permissions.
Previous by thread: Root-like filesystem permissions.
Next by thread: Re: Root-like filesystem permissions.
Index(es):
- Date
- Thread