Home / server / Questions / 190764
In Process
Rob
Asked: 2010-10-14 18:34:37 +0800 CST

Safe way to allow users to chgrp to www-data

  • 772

I have a small webserver used by some friends to host personal websites. Occasionally they need to make a folder for uploads that can be written to by the webserver (www-data). Is there a safe way to allow a regualar user (not in sudoers) to set a specific group that they are not a member of?

To me this seems to be a dangerous option to allow, but one that I might have to allow. So I am interested in secure ways of doing it. Writing my own script & allowing users to sudo it is likely not be secure. I want to try to use best practices, not just allowing sudo chgrp, unless that really is secure.

Some requirements * Can only change files in a specific area of the server * Can only change two and from specific groups * Cannot be hacked to allow privilege escalation or other security issues.

Running the PHP FastCGI as a specific user might be a good solution, but how would I ensure that is setup securely & safely?

chgrp

2 Answers

  1. If your users'websites are separated in virtualhost, a simple and secure ways in most cases would be to use apache2-mpm-itk, which allows to constrain each individual vhost to a particular system user/group.

    After installing apache2-mpm-itk, add these lines in part of apache configuration:

    <virtualhost foobar.com:80>
        ...
        <IfModule mpm_itk_module>
        AssignUserId USERID GROUPID
        </IfModule>
</virtualhost>

    This way php/perl/python scripts in vhosts are also run with regular's user and permissions.

    • 2

  2. One thing you can do, and I do it, is to use suexec to specify that each persons' PHP scripts run under their own user or group account.

    To do this you'll need to also run PHP as a FastCGI module and run mod_fcgid under Apache (hint: you can also use Apache's Worker MPM). Installation is a bit tricky - you need wrapper scripts (you may be able to get around this using suphp but I haven't tried it).

    I have it so that PHP (and all CGI processes) run as www-data:<username>. Then, if users want to be able to be able to have PHP upload to their own folder, they can just set the group write flag themselves.

    Or just run PHP as <username>:<username> and they won't even have to do that.

    • 1