[lug] apache vhost / php perms

George Sexton gsexton at mhsoftware.com
Thu Apr 17 07:42:22 MDT 2008 

Unless a file is SETUID/SETGID, it runs with the permissions of the 
person executing it, not the permissions of the owner or group.

Since the users won't be able to create SETGID files, there is no problem.

karl horlen wrote:
> Thanks for the tip.  Combining both george and your tip allow me to handle this type of setup more cleanly with less maintenance.
> 
> Any thoughts on the security hole example I mentioned?
> 
> 
> --- On Wed, 4/16/08, Hugh Brown <hugh at math.byu.edu> wrote:
> 
>> From: Hugh Brown <hugh at math.byu.edu>
>> Subject: Re: [lug] apache vhost / php perms
>> To: "Boulder (Colorado) Linux Users Group -- General Mailing List" <lug at lug.boulder.co.us>
>> Date: Wednesday, April 16, 2008, 8:28 PM
>> George Sexton wrote:
>>> SetGID applied to a directory makes any new
>> directories or files created 
>>> in that directory set to the group of the parent
>> directory.
>>> I don't think it's any particular security
>> issue since it's applied to 
>>> the directory, and the only effect is to make any
>> files or directories 
>>> owned by the group.
>>>
>> I've done something similar and found that I had to
>> write a cron script 
>> that would fix the group permissions and make sure that
>> group had 
>> read/execute where appropriate.
>>
>> As a test, I just did:
>>
>> mkdir foo
>> chgrp group2 foo
>> chmod g+s foo
>> cd foo
>> rsync -av remote:s* .
>>
>> ls -l at the foo level had group2 but everything below that
>> level had 
>> group1 (which is the default group for the user).
>>
>>
>> So, if all of the vhosts share the same parent, you can set
>> a cron 
>> script to run and do:
>>
>> chgrp -R apache /vhost/parentdir
>> find /vhost/parentdir -type d -exec chmod g+s {} \;
>>
>> Hugh
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List:
>> http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> 
> 
>       ____________________________________________________________________________________
> Be a better friend, newshound, and 
> know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> 

-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

More information about the LUG mailing list