cancel
Showing results for 
Search instead for 
Did you mean: 

Group and process ownership

N/A

Group and process ownership

Hi,

I'm setting up a wiki on my newly activated Force 9 CGI space. The perl
script itself is running OK, but I'm having a problem with the data files.
I've created a directory, called, er, wiki off the parent and copied the
data files there.

The problem is this. When the perl script runs, it does so with the
permissions of the httpd process. In order to allow the CGI process to write
the data back to the files, I would have to chmod them to to 666. However, I
am worried that this leaves the files world writable, and vulnerable to
unwanted attention ;-) I know that the files will be "world writable"
through the web front-end to the wiki, but that's a little different!

Therefore, can I change the group ownership of the files to something else,
writable by the httpd process but not by everyone else out there?

TIA,

Tony

P.S. I have posted this to force9.www.cgi too, but no-one else seems to hang out there.
10 REPLIES
N/A

Re: Group and process ownership

Quote
Therefore, can I change the group ownership of the files to something else, writable by the httpd process but not by everyone else out there?

The issue of permissions on the CGI server was raised in the Very weak security thread. I believe the recommendations there are the best that can be done at present.


Quote

P.S. I have posted this to force9.www.cgi too, but no-one else seems to hang out there.


By far the most active PlusNet forum is the one associated with the PlusNet brand itself, available at portal.plus.net (notice any similarities?). As a guest, you can view messages, but not post. If you want to post, register for a free Internet account with PlusNet, and let Ian Wild know the username. See AKA
N/A

Thanks

Thanks for the reply. I'd read that thread you mentioned - it raises some good points.

Setting the perms for my directory to deny any group access would certainly improve security. It took me about ten minutes to spot that I could browse other people's webspace. Giving group access permissions to other people's webspace certainly seems a little, er, odd.

However, it doesn't solve my problem of allowing the httpd process write access to the wiki data files. The only way (that I can see) to avoid having to give global write permissions (and letting any other user write to my tree) would be to give the httpd process access using the group permissions. If the httpd process runs with group ownership "www" for example, chgrp-ing all my data files to this group would enable me to give the httpd process write access without giving everyone write access.

I guess I'll just have to wait and see! ;-)

Tony
N/A

Group and process ownership

For anyone interested,

I've submitted a support ticket concerning the permissions/security on the crofters server. Linux is generally a secure OS and is more than capable of hosting several document roots without recourse to expensive (to maintain) solutions like UML. I appreciate that the CGI service is a bonus and unsupported, however the crofters server could be made much more secure with only a few changes to the security model. To that end, in my ticket I have asked that the security model be reconsidered.

So that I'm not just being a moaner, I have also suggested a model that might be considered: Each user is set up in a group (probably groupname = username as is the default on most Linux systems.) Only the user and the owner of the httpd process (usually something like "www" or "httpd") are members of that group. This would allow the user to set permissions for themselves, for the httpd process via the group permissions and then for the rest of the world (including other users on the system). The httpd process could then be given read/write access or just write access to the files, depending on the purpose of the CGI space. World access else can also be controlled by the user.

A security model like the above shouldn't take any more management than the existing one once in place.

I'll post back if I get any helpful response.

Tony
N/A

Group and process ownership

if your saying that each user gets added to the group of the httpd process this will still give every user acces to your files as they will be in the group as well. Or have I mis-understood what you meant?
N/A

...

Yes, I think so Wink

For every username on the system there would be a group of the same name. So the user fred would be a member of a group called "fred". (Each user having a group of their own is not unusual on a Linux system.) The only other member of that group would be the owner of the httpd process. No other users would be members of that group.

Under that scheme, the ownership permissions would apply just to the file's owner, the group permissions to that single user and the httpd process. The httpd process would be able to read/write to the directory depending on the group permissions, set by the user. The "other" permissions would apply to everyone else, again as decided by the user of the system.

To reiterate, only the owner of the httpd process and the user who owns the directory would have access to that directory (subject to the appropriate group permissions).

As I mention, its a pretty standard way for Linux systems to be set up, and shouldn't result in any increased sysadmin load, beyond the conversion itself. (This is, after all, an "unsupported" service.)

Hope that is clearer!

Tony
N/A

Group and process ownership

yep - i understand what you mean now and I think this would be easy enough to implement. As this is a security issue I think it should be. I was told I couldn't be given access to the apache error logs because it is a potential security issue, this shows that f9 take security seriously.

F9 admins please consider implementing this on all public servers.
N/A

Reply from Customer Support

I've had the following repsonse from the Customer Support team at Force9. In an earlier message they said that they had passed the issue on to the networking team. I responded later saying that I would be happy to discuss the issue with the networking team and that I had not heard from them. I got this response yesterday:

Quote
Any major changes to our CGI platform will be announced on our Announcements/Service Status pages on the Portal and in USENET. If your suggestions are accepted they are not likely to be put in place for several months.


I think its sad that this is being viewed as an request for a change to the service, rather than the security flaw that it actually is. More disheartening is the fact that it is unlikely to be acted on for several months, if at all!

Anyway, I said I would share any response, so I have!

Tony
N/A

Group and process ownership

Tony

How about creating a poll in the Ideas and suggestions forum (also notify those in the force9.www.cgi newsgroup). I'm sure you'll get some support on this - I for one would certainly vote in favour.

You could also utt this across on the plus.net forum as well - there seems to be a larger audience there.

Regards

Neil
N/A

Good idea

I may do that soon.

I've been thinking about this issue, and an alternative has sprung to mind, which may (or may not) be easier to implement for the sysadmins at Force9. That is to have a chroot jail for each user, so that they can only access their directory tree (home directory). This would be the same effect as connecting to the homepages server, which only allows access to a user's home directory.

Tony
N/A

Created a poll

I've created a poll in the Ideas and Suggestions forum at http://portal.f9.net.uk/central/forums/viewtopic.php?t=1934 if anyone interested would like to take a look and have a vote!

Tony