1

I have a small webserver used by some friends to host personal websites. Occasionally they need to make a folder for uploads that can be written to by the webserver (www-data). Is there a safe way to allow a regualar user (not in sudoers) to set a specific group that they are not a member of?

To me this seems to be a dangerous option to allow, but one that I might have to allow. So I am interested in secure ways of doing it. Writing my own script & allowing users to sudo it is likely not be secure. I want to try to use best practices, not just allowing sudo chgrp, unless that really is secure.

Some requirements * Can only change files in a specific area of the server * Can only change two and from specific groups * Cannot be hacked to allow privilege escalation or other security issues.

Running the PHP FastCGI as a specific user might be a good solution, but how would I ensure that is setup securely & safely?

Rob
  • 185
  • 1
  • 8
  • 3
    Why wouldn't you want to use sudoers for this? You know you could grant them sudo permissions for only a small subset of commands, correct? – EEAA Oct 14 '10 at 03:12
  • But can I control what parameters they can pass to those commands? I need to make sure they can only perform specific limited actions, not anything that chgrp can do. I don't want them chgrp'ing /usr/bin/sudo for example – Rob Oct 14 '10 at 17:17

2 Answers2

2

If your users'websites are separated in virtualhost, a simple and secure ways in most cases would be to use apache2-mpm-itk, which allows to constrain each individual vhost to a particular system user/group.

After installing apache2-mpm-itk, add these lines in part of apache configuration:

<virtualhost foobar.com:80>
        ...
        <IfModule mpm_itk_module>
        AssignUserId USERID GROUPID
        </IfModule>
</virtualhost>

This way php/perl/python scripts in vhosts are also run with regular's user and permissions.

simon
  • 21
  • 2
1

One thing you can do, and I do it, is to use suexec to specify that each persons' PHP scripts run under their own user or group account.

To do this you'll need to also run PHP as a FastCGI module and run mod_fcgid under Apache (hint: you can also use Apache's Worker MPM). Installation is a bit tricky - you need wrapper scripts (you may be able to get around this using suphp but I haven't tried it).

I have it so that PHP (and all CGI processes) run as www-data:<username>. Then, if users want to be able to be able to have PHP upload to their own folder, they can just set the group write flag themselves.

Or just run PHP as <username>:<username> and they won't even have to do that.

thomasrutter
  • 2,437
  • 1
  • 25
  • 34
  • unfortunately I don't use apache rather nginx, and I use the PHP5 FPM for the FastCGI. My issue here is one of lack of documentation & example. The concepts are known to me, the gotchas are not. – Rob Oct 14 '10 at 17:19