1

I have a small webserver used by some friends to host personal websites. Occasionally they need to make a folder for uploads that can be written to by the webserver (www-data). Is there a safe way to allow a regualar user (not in sudoers) to set a specific group that they are not a member of?

To me this seems to be a dangerous option to allow, but one that I might have to allow. So I am interested in secure ways of doing it. Writing my own script & allowing users to sudo it is likely not be secure. I want to try to use best practices, not just allowing sudo chgrp, unless that really is secure.

Some requirements * Can only change files in a specific area of the server * Can only change two and from specific groups * Cannot be hacked to allow privilege escalation or other security issues.

Running the PHP FastCGI as a specific user might be a good solution, but how would I ensure that is setup securely & safely?

Rob
  • 185

2 Answers2

2

If your users'websites are separated in virtualhost, a simple and secure ways in most cases would be to use apache2-mpm-itk, which allows to constrain each individual vhost to a particular system user/group.

After installing apache2-mpm-itk, add these lines in part of apache configuration:

<virtualhost foobar.com:80>
        ...
        <IfModule mpm_itk_module>
        AssignUserId USERID GROUPID
        </IfModule>
</virtualhost>

This way php/perl/python scripts in vhosts are also run with regular's user and permissions.

simon
  • 21
1

One thing you can do, and I do it, is to use suexec to specify that each persons' PHP scripts run under their own user or group account.

To do this you'll need to also run PHP as a FastCGI module and run mod_fcgid under Apache (hint: you can also use Apache's Worker MPM). Installation is a bit tricky - you need wrapper scripts (you may be able to get around this using suphp but I haven't tried it).

I have it so that PHP (and all CGI processes) run as www-data:<username>. Then, if users want to be able to be able to have PHP upload to their own folder, they can just set the group write flag themselves.

Or just run PHP as <username>:<username> and they won't even have to do that.

thomasrutter
  • 2,656