Would running apache as myself cause any serious security or other issues? (apache 2.2 on Fedora 8 if it's of any significance)
It's on my home system where I am really the only user and apache is used mainly for 'local' browsing though there is one directory which I have opened up the apache permissions on so it's visible from the outside world.
The only major issue I can see is that someone else browsing using apache *might* be able to see some of 'my' files that they wouldn't be able to see if apache was running as apache.
Alternatively can anyone suggest a scriptable way of allowing myself to become user apache so that I can create files, do fuse mounts, etc. as apache?
On Wed, Mar 12, 2008 at 1:44 PM, Chris G cl@isbd.net wrote:
Alternatively can anyone suggest a scriptable way of allowing myself to become user apache so that I can create files, do fuse mounts, etc. as apache?
Why not change the group permissions on the apache directories to give you write rights? If you set the group sticky bit too then new files and directories will retain the group ownership.
Tim.
Chris G cl@isbd.net wrote:
Would running apache as myself cause any serious security or other issues? (apache 2.2 on Fedora 8 if it's of any significance) [...]
An exploit of apache could wipe out your files. Seems serious to me if the apache is world-visible.
Alternatively can anyone suggest a scriptable way of allowing myself to become user apache so that I can create files, do fuse mounts, etc. as apache?
sudo, or careful use of group ownerships (chgrp) and permissions (chmod g+rx). Alternatively, consider using suexec or mod_ruid to apache run *some* tasks as your user.
Hope that helps,
On Wed, Mar 12, 2008 at 02:12:46PM +0000, MJ Ray wrote:
Chris G cl@isbd.net wrote:
Would running apache as myself cause any serious security or other issues? (apache 2.2 on Fedora 8 if it's of any significance) [...]
An exploit of apache could wipe out your files. Seems serious to me if the apache is world-visible.
Yes, true, I've decided to avoid it if I can.
Alternatively can anyone suggest a scriptable way of allowing myself to become user apache so that I can create files, do fuse mounts, etc. as apache?
sudo, or careful use of group ownerships (chgrp) and permissions (chmod g+rx). Alternatively, consider using suexec or mod_ruid to apache run *some* tasks as your user.
The issue is with an encfs/fuse mounted directory, by default (regardless of permissions) only the user who mounts the file system can see the files. Even root can't see the files or manipulate them.
I have a workable solution using the allow_other option to fuse which allows others to read fuse mounted files by default, I can then set the 'normal' permissions to restrict access as required.
-
Chris G -
MJ Ray -
Tim Green