Re: how do I use UID setting?
On 6 Feb 99, at 21:40, Gerard MacNeil wrote:
> On Sat, 6 Feb 1999, Chris Evans wrote:
>
> > 1 -rwsr-xr-x 1 chris root 59 359 Feb 6 22:47 cp
>
> This line means any user can execute the program 'cp'
Yes, I didn't mean to leave it that way.
>
> > The whoami reports "nobody" not "chris" (is that what you'd expect
> > gurus?), the cp, which is what I want, reports insufficient
> > permissions to create the files in the copy.
>
> OK. So the Apache process is running as user 'nobody' (mine runs as
> www-data as per the Debian distribution).
> You want 'nobody' to 'cp' a file to a directory. Does 'nobody' have
> permissions to write a file in the directory in question? The
> observations about 'chris' are not relevant. Set the permissions of the
> directory so 'nobody' can write to it.
I _knew_ I shouldn't have called that program "cp"! Sorry, it made
things very unclear.
The crucial things I want are:
1) for the default user of apache-ssl, currently nobody to be able to
execute this program, /var/www/secure-cgi-bin/cp, (I've achieved
this much!)
2) for the execution of that program to use its owner's (chris's) UID
and hence its owner's (chris's) permissions
3) which should give it write permission in the /var/www/root/
directory tree (something I don't want any old apache execution to
have as a sort of basic protection of that tree in case I foul up and
leave other holes)
I have _NOT_ achieved 2) and/or 3) as far as I can see.
> Do a 'su nobody -c cp SOURCE_FILE THE_DIR' as root to test. You may have
> to use the full PATH to the 'cp' command.
> If you check the documentation on Security, you will see that it is
> recommended that Apache process run as an abstract psudeo-user like
> 'www-data' (Debian install default). You spec the user in
> /etc/apache/httpd.conf and you only have to make sure that the user
> exists. It helps keep things straight.
> It also defines precisely how the files have been written to the
> directory. 'www-data' should be denied all logins. All files
> written with owner 'www-data' are therefore written by the Web
> Server (except for a security breach). You know where they came
> from. You can check your Web Stats to verify the URL was in fact
> hit. Besides, 'nobody' gets used for a bunch of other things.
I really don't think I have changed the default user for apache-ssl,
maybe I have. I take the logic of this and approve and will make
the change but I still wouldn't want to give www-data write
permission in its own root (or cgi-bin) directory structures. That
sounds to me like creating an unnecessary layer of openness.
The situation is that I host some pages someone else designs. He
has ftp and I've arranged that he can ftp his pages into a small
partition. Since ftp is essentially insecure to snooping and replay I
accept that partition is insecure and can live with that. What I want
is to get him then to validate himself in with name & password in
an https (apache-ssl) session (i.e. essentially non-snoopable, non-
replayable) so he can then initiate a copy into the httpd root
structure (otherwise I'll keep having to do it for him which is going
to frustrate both of us).
I thought that the "setuid" byte was the way to do this, to get a
program to use its owner's UID and permissions rather than those
of the (lower permissions) apache user. Clearly I'm wrong or doing
something wrong.
Does that make things any clearer? Can anyone help?
TIA
Chris
PSYCTC: Psychotherapy, Psychology, Psychiatry, Counselling
and Therapeutic Communities; practice, research,
teaching and consultancy.
Chris Evans & Jo-anne Carlyle Tel/fax.:(+44|0)181-671 0868
http://psyctc.org/ Email: chris@psyctc.org
Reply to: