[lug] apache vhost / php perms

George Sexton gsexton at mhsoftware.com
Wed Apr 16 18:25:08 MDT 2008 

SetGID applied to a directory makes any new directories or files created 
in that directory set to the group of the parent directory.

I don't think it's any particular security issue since it's applied to 
the directory, and the only effect is to make any files or directories 
owned by the group.

karl horlen wrote:
> I got lost with your solution
> 
>> Make each virtual host directory owned by the user.
> 
> This makes sense.
> 
>> Set the group to be apache, and set the permissions on the
>> directory to 
>> be setgid g+rws
> 
> If I set the group to apache, this is the same as it was in my previous example?  Trying to follow what you're doing here.  Sorry for my ignorance.
> 
>> Remove the individual users from the apache directory.
> 
> What apache directory?  Each user has their own server root directory which  as of right now simply lives under a subdir in their home directory.  Did you mean 'apache group' versus 'apache directory' above?
> 
>> Now, when a user creates a file, the group will be apache,
>> and they will 
>> be the owner. Apache will be able to read each user's
>> files, but since 
>> the user's are not members of group apache, they
>> won't be able to read 
>> each other's files.
> 
> I think I'm starting to see what you're trying to do after reading this last part but still a little unclear on the implementation as described above.
> 
> I think what you're saying is that each vhost directory is owned by the individual userid.  Each vhost directory is setgid to be apache.  But and I think this is the key, each user is no longer included as a member of group apache.  This provides the security glue required to make this work.
> 
> Followup.  
> 
> As a web developer i often reuse code between projects. I frequently duplicate full and or partial dir trees from existing vhost site directories to other vhost site directories.  Sometimes I'll update some code on one site that needs to be updated in another.  I often rsync or simple copy as root and then change perms appropriately in the target directory, recursively use chown and or chmod to make the appropriate changes.  
> 
> I'm not used to using setgid though.  
> 
> Does setgid need to only be applied to directories or to all files in the directories (I think only the directories)?
> 
> Does it need to be only applied to toplevel vhost directory or all child dirs?  I'm assuming all but I don't know?
> 
> Is there a reason I would NOT want to setgid one of my child directories?  Just asking.
> 
> Finally.  setgid itself probably opens up the door to potential security holes if not implemented correctly which is why I asked the questions I did above (stupid as they might be to someone who has used the feature a lot).  
> 
> Are there any other security holes I should be aware of using this approach or tips to prevent them using the method described above.
> 
> Thanks
> 
> 
> 
> 
>       ____________________________________________________________________________________
> Be a better friend, newshound, and 
> know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> 

-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

More information about the LUG mailing list