PDA

View Full Version : [ubuntu] 14.10 install apache as root, security issue?



coombesy
November 19th, 2014, 02:57 AM
I just installed 14.10 and have noticed that `/var/www` needs root permissions to be edited.

Initially I was thinking it a security advantage but then thought what about my IDE's? If I run them as root, along with repo and other 3rd party plugins, would that not be a huge security issue?

mastablasta
November 19th, 2014, 11:06 AM
needs root permission or is owned by root?

how did you install apache? what are you trying to do? why do you need root to run things on apache webserver? and what kind of things?

Lars Noodén
November 19th, 2014, 11:29 AM
Apache2 should be running as user and group www-data, which should have read-only access to the web files. The user which Apache runs under is set in a bit convoluted way in Ubuntu, but you can see the environment variables APACHE_RUN_USER and APACHE_RUN_USER get set in the configuration file /etc/apache2/envvars. Then in the next configuration file. /etc/apache2/apache2.conf, these variables get used. Finally in the vhost configuration files, /etc/apache2/sites-available/*, if nothing overrides those settings then they stay.

If you yourself just want to write to the webserver(s) DocumentRoot, then you can just change ownership of the directories with sudo chown to that of your account. If you are going to share write access then you need a common group and some additional settings. Just be sure that o=rx for the directory so that Apache2 can read it. (Some difficult tricks are available if you need the web server to read files but not other system users, but that would be a separate discussion.)

coombesy
November 20th, 2014, 01:05 AM
thats the problem - I don't want apache to run as root

coombesy
November 20th, 2014, 01:12 AM
Apache2 should be running as user and group www-data, which should have read-only access to the web files. The user which Apache runs under is set in a bit convoluted way in Ubuntu, but you can see the environment variables APACHE_RUN_USER and APACHE_RUN_USER get set in the configuration file /etc/apache2/envvars. Then in the next configuration file. /etc/apache2/apache2.conf, these variables get used. Finally in the vhost configuration files, /etc/apache2/sites-available/*, if nothing overrides those settings then they stay.

If you yourself just want to write to the webserver(s) DocumentRoot, then you can just change ownership of the directories with sudo chown to that of your account. If you are going to share write access then you need a common group and some additional settings. Just be sure that o=rx for the directory so that Apache2 can read it. (Some difficult tricks are available if you need the web server to read files but not other system users, but that would be a separate discussion.)

thanks for the help

This is happening from a straight install of both 14.04lts and 14.10 after installing from command line:


sudo apt-get install apache2


its under root owner:


/var/www$ ls -la
total 12
drwxr-xr-x 3 root root 4096 Nov 19 08:50 .
drwxr-xr-x 14 root root 4096 Nov 19 08:50 ..
drwxr-xr-x 3 root root 4096 Nov 20 00:03 html


The `envar` APACHE_RUN_USER is also not set


/var/www$ echo $APACHE_RUN_USER

/var/www$


Yet the apache `envar` is set correctly:


/var/www$ cat /etc/apache2/envvars | grep APACHE_RUN_USER
export APACHE_RUN_USER=www-data

coombesy
November 20th, 2014, 01:14 AM
... just chmod'd the `www` directory to `www-data:www-data` and `http://localhost/` is running as expected. For some reason it will also run as expected if its under root owner, something sounds odd here.

Lars Noodén
November 20th, 2014, 08:06 AM
... just chmod'd the `www` directory to `www-data:www-data` and `http://localhost/` is running as expected. For some reason it will also run as expected if its under root owner, something sounds odd here.

Oops. You might want to wind that back to either be owned by root or your own user. If it is owned by www-data then it is writable by the server and that is not what you want.



drwxr-xr-x 3 root root 4096 Nov 20 00:03 html


The first set of rwx is for the user (root), the second (r-x) is for the group (root), the last triplet (r-x) is for anybody. So for the html directory, anybody can read it, and that anybody would include the web server's user. If you don't want anyone except the web server to read the directory then you probably want these settings (aka 750):



drwxr-x--- 3 root www-data 4096 Nov 20 00:03 html


But the use cases for that would be very few and far between since web data is usually published to the world.

Apache *has to* get launched as root if it is to listen to ports 80 or 443 or anything lower than port 1024. So what it does is first bind that port and then drop to the user specified in the configuration file and then use that user for everything else. The idea there is one of least privilege.: root access is needed for binding to low ports but not for anything else. You can see this with ps



ps axfo pid,user,comm


There you can see that one process is started as root and then the others are run as www-data (or whatever is in the configuration). If you are not listening to a port under 1024 then you could theoretically run Apache as any user, but you will have to set the permissions for the log file appropriately, in fact it might be easier to have them in a different location all together.

Edit: sorry, stray mouse click submitted prematurely.

coombesy
November 26th, 2014, 04:50 AM
excellent explaination @lars cheers ;)

but webserver would need write access for form uploads etc. So I'm wanting to have:
owner=root(rwx), group=www-data(rwx), others=read,execute

This is what I've attempted (result is apache can run, but my user has no write access)

giver root & www-data group full permissions, then add my user to the root group.


sudo usermod -a -G www-data daithi
/var/www$ sudo chown -R root:www-data ./html

/var/www$ sudo chmod -R 0775 ./html
/var/www$ ls -lad ./html/
drwxrwxr-x 2 root www-data 4096 Nov 26 02:20 ./html/


any thoughts? (thanks for the help ;))

but no joy, my normal login user (an thus my ide's) dont' have write access


/var/www$ id daithi
uid=1000(daithi) gid=1000(daithi) groups=1000(daithi),4(adm),24(cdrom),27(sudo),30(d ip),33(www-data),46(plugdev),109(lpadmin),125(sambashare)

/var/www$ groups daithi
daithi : daithi adm cdrom sudo dip www-data plugdev lpadmin sambashare
/var/www$

coombesy
November 26th, 2014, 06:22 AM
seems a definite answer is a matter of taste as well as requirement.

I'm going with my user owns, apache user has permission, everything else can go and jump ;)


$ cd /var/www
$ sudo chown -R daithi:www-data html
$ sudo chmod -R 770 html