Allow access in home directory for apache but not other users?

Question

I build a website that automatically manages a dedicated server. It does all sorts of things like creating users and apache settings to point to their home directory.

The home directories host game binaries, and the home folder can be accessed from the web, but only non-essential resource files (.wav .mdl .spr etc) can be accessed, that's how apache is configured. So for this to work, I need execute and read permissions on all files.

The problem is that binaries run in one user's home folder can access other users' home folder, read and write to files in there.

How can I make a user's home directory unaccessible to anyone else but him and via apache? Here's what the folder tree looks like:

http://i.imgur.com/LVFMle2.png (no rep to show image directly)

@Matt the files are not created by apache, apache merely executes cp -rp to copy a folder and it's contents and keep all permissions intact. That means that all I have to do is change permissions on the "source" folder and the same permissions will be present on user files. Your answer seems unrelated though. — Aron, Aug 12 '15 at 21:03

score 2 · Accepted Answer · answered Aug 12 '15 at 21:20

2

Set an ACL on each user's home directory, to which Apache needs access. This lets you avoid silly tricks with groups, which can actually cause more problems than they solve.

For example:

setfacl -R -m u:httpd:rx,d:u:httpd:rx /home/username

will allow the httpd user to read everything in that directory, including subdirectories and any newly created files.

answered Aug 12 '15 at 21:20

Michael Hampton

237,123
42
477
940

so if I set permissions to 700 for all folders and files, and then execute this, will this give only httpd and the file owner access to it? – Aron Aug 12 '15 at 21:24
That's correct. – Michael Hampton Aug 12 '15 at 21:26
I get an Invalid argument near character 3 error on that command. – Aron Aug 12 '15 at 22:05
1

Looks fine to me. Are you sure you typed it correctly? – Michael Hampton Aug 12 '15 at 22:07
copy pasted it and just replaced "username" with "user4". [root@carnbox /]# setfacl -R -m u:httpd:rx,d:u:httpd:rx /home/user4 setfacl: Option -m: Invalid argument near character 3 – Aron Aug 12 '15 at 22:11
found the problem, the user is called "apache" on my installation, not "httpd" – Aron Aug 13 '15 at 10:13
Really surprised it took me this long to find the answer to this question. Took me just about an hour and this is EXACTLY what I needed. – CMOS Apr 03 '18 at 21:09

score 0 · Answer 2 · edited Apr 13 '17 at 12:14

I'd suggest having each user's home directory being owned by the user and the user's group and only user and group can get into the directory (770), and then make Apache be a member of each user's group.

Also, be sure to implement some form of symlink attack protection (see https://documentation.cpanel.net/display/EA/Symlink+Race+Condition+Protection for some options - this link does not just apply to cPanel).

An approach which would keep things simple and not require symlink attack protection would be to use MPM ITK if you don't mind the speed hit (and see also the "Quirks and Warnings" on its homepage). In that case Apache runs as each individual website user.

You can also check out Multi-site hosting - important vulnerability being missed to secure sites from each other? for a discussion of multi-site hosting security and some other approaches.

Disclaimer: I can't promise that any suggestion above is 100% secure so use at your own risk =).

I will probably set up containers because I need them anyways for resource management. That should keep things safe, right? I wanted to know how other people fix this though because I thought I understood permissions well enough, but I don't. — Aron, Aug 12 '15 at 21:21

Allow access in home directory for apache but not other users?

2 Answers2