1

I build a website that automatically manages a dedicated server. It does all sorts of things like creating users and apache settings to point to their home directory.

The home directories host game binaries, and the home folder can be accessed from the web, but only non-essential resource files (.wav .mdl .spr etc) can be accessed, that's how apache is configured. So for this to work, I need execute and read permissions on all files.

The problem is that binaries run in one user's home folder can access other users' home folder, read and write to files in there.

How can I make a user's home directory unaccessible to anyone else but him and via apache? Here's what the folder tree looks like:

https://i.sstatic.net/mXflN.png (no rep to show image directly)

Aron
  • 13
  • 1
  • 3

3 Answers3

2

Set an ACL on each user's home directory, to which Apache needs access. This lets you avoid silly tricks with groups, which can actually cause more problems than they solve.

For example:

setfacl -R -m u:httpd:rx,d:u:httpd:rx /home/username

will allow the httpd user to read everything in that directory, including subdirectories and any newly created files.

Michael Hampton
  • 252,907
0

After trying many, many solutions, including the ones listed here, I found best is to:

  1. Add www-data to the user's group, so that the users remain in final control of whether apache gets to host their files

  2. Tell apache where these folders are

<Directory /var/www/user/>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>
  1. Which brings me to my last point, since PHP-FPM 7.4, the /home folder is protected by default, no point trying to circumvent it just to have a folder in /home, which is why I specified /var/www/user in step 2. So, just chown that whole folder to the user

All the other methods had various issues ranging from irritating to being outright unusable, in particular, the user being unable to read/write to certain files creating by Apache, or having permissions that are too lax, resulting in security issues, or simply, too complicated to manage.

bilogic
  • 154
0

I'd suggest having each user's home directory being owned by the user and the user's group and only user and group can get into the directory (770), and then make Apache be a member of each user's group.

Also, be sure to implement some form of symlink attack protection (see https://documentation.cpanel.net/display/EA/Symlink+Race+Condition+Protection for some options - this link does not just apply to cPanel).

An approach which would keep things simple and not require symlink attack protection would be to use MPM ITK if you don't mind the speed hit (and see also the "Quirks and Warnings" on its homepage). In that case Apache runs as each individual website user.

You can also check out Multi-site hosting - important vulnerability being missed to secure sites from each other? for a discussion of multi-site hosting security and some other approaches.

Disclaimer: I can't promise that any suggestion above is 100% secure so use at your own risk =).

Community
  • 1
sa289
  • 1,418