Monday, September 29, 2014

ubuntu - what permissions should I give to a folder on apache when it demands write and execute permissions



I am trying to get a few Content Management Systems up and running.
But I have security concerns with respect to them




1) please see following link
http://www.dokeos.com/doc/installation_guide.html section 2 says
The following directories need to be readable, writeable and executable for
everyone:




  • dokeos/main/inc/conf/

  • dokeos/main/upload/users/

  • dokeos/main/default_course_document/

  • dokeos/archive/


  • dokeos/courses/

  • dokeos/home/



I am not very happy with this idea of having directories to be
readable,writeable and executable for every one.



2) http://doc.claroline.net/en/index.php/Install_general_information



the section

Rights on folders says



" If you don't want to set write access on the whole folders, which is
recommended for security reasons, give to the web server user write access on
these folders : "



Is this a recommended practice.?



3) Also another LMS (Learning Management System) while installing asked to give
some folders writeable and executable for every one

here is a link
http://atutor.ca/atutor/docs/installation.php
While installing it I got a message




“The directory you specify must be created if it does not already exist  


and be writeable by the webserver. On
Unix machines issue the command chmod

a+rwx content, additionally the path
may not contain any symbolic links.
chmod a+rwx /var/www/atutor/content”




4) Another LMS docebolms asked to give write permissions on



files/doceboCore/photo
files/common/users
files/doceboLms/course

files/doceboLms/forum
files/doceboLms/item
files/doceboLms/message
files/doceboLms/project
files/doceboLms/scorm
files/doceboLms/test


I checked its documentation
http://www.docebo.org/doceboCms/index.php?mn=docs&op=docsĪ€=5_4&folder=7

but was not that helpful.



I am not at all convinced by the idea of giving permissions to read,write and
execute as these Learning Management Systems say.
Let me know what you people have to say?
What is the best practise in such situations?


Answer



You're right to be concerned, and too many application vendors resort to telling you you need to grant full permissions to every user in order to avoid problems. They do this to minimize support calls, rather than to maximize security.



It does make sense that the web server account would need write access to certain directories to store uploads or generated files. And execute access on directories is required in Unix in order for the contents of the directory to be enumerated by a user, so that will also be necessary.




Ultimately, what you want is for the user account that is running the web server process (most likely www-data if you are using a packaged web server on Ubuntu) to own the folders in question, and then the standard permissions of 755 (rwxr-xr-x) are sufficient, or if you are on a shared system with other untrusted users, you'd want 700 (rwx------).



So, in your first example, assuming those directories already exist, you would need to do this:



$ sudo chown -R www-data:www-data dokeos/main/inc/conf/ dokeos/main/upload/users/ dokeos/main/default_course_document/ dokeos/archive/ dokeos/courses/ dokeos/home/
$ sudo chmod 755 dokeos/main/inc/conf/ dokeos/main/upload/users/ dokeos/main/default_course_document/ dokeos/archive/ dokeos/courses/ dokeos/home/


Again, if you are on a shared system, you may wish to replace "755" with "700" on the second line. If you know that www-data is not the user running your web server, replace that item with the correct value. You can run the same two commands on the directories for the second system as well. In both cases, write access is probably necessary, but only for the single user running the web server, not for everyone.




Good luck.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...