[lug] apache vhost / php perms

karl horlen horlenkarl at yahoo.com
Thu Apr 17 00:27:00 MDT 2008


Thanks for the tip.  Combining both george and your tip allow me to handle this type of setup more cleanly with less maintenance.

Any thoughts on the security hole example I mentioned?


--- On Wed, 4/16/08, Hugh Brown <hugh at math.byu.edu> wrote:

> From: Hugh Brown <hugh at math.byu.edu>
> Subject: Re: [lug] apache vhost / php perms
> To: "Boulder (Colorado) Linux Users Group -- General Mailing List" <lug at lug.boulder.co.us>
> Date: Wednesday, April 16, 2008, 8:28 PM
> George Sexton wrote:
> > SetGID applied to a directory makes any new
> directories or files created 
> > in that directory set to the group of the parent
> directory.
> > 
> > I don't think it's any particular security
> issue since it's applied to 
> > the directory, and the only effect is to make any
> files or directories 
> > owned by the group.
> > 
> 
> I've done something similar and found that I had to
> write a cron script 
> that would fix the group permissions and make sure that
> group had 
> read/execute where appropriate.
> 
> As a test, I just did:
> 
> mkdir foo
> chgrp group2 foo
> chmod g+s foo
> cd foo
> rsync -av remote:s* .
> 
> ls -l at the foo level had group2 but everything below that
> level had 
> group1 (which is the default group for the user).
> 
> 
> So, if all of the vhosts share the same parent, you can set
> a cron 
> script to run and do:
> 
> chgrp -R apache /vhost/parentdir
> find /vhost/parentdir -type d -exec chmod g+s {} \;
> 
> Hugh
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List:
> http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug


      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ



More information about the LUG mailing list