tambde
asked on
webserver setup and filesystem permission.
All,
I have a design question about webserver.
To give you brief idea about my current setup,
I have webserver on my production network, the main purpose of the webserver is that user can come on my intra net site and will access the report they want. I have developed couple of cgi scripts for this purpose.
As my webserver runs with lowest privilege, my cgi can not directly access the report file which are lying on the production env.
I have solved this problem by not directly accessing report file but by /bin/cat (I have set the sticky bit to /bin/cat, so no matter who runs the /bin/cat it is run as the privileged user)
but it becomes too combursum, when I release perl module(which is shared by my cgi and few other perl programs), as I have to change the permission on module every time they are released so that is is acceesible by webserver.
Is there any other better way to run webserver on production segment, where it will run as lowest privilage user but still access the production files or perl modules without such adjustments)
Best Regards
Nilesh
I have a design question about webserver.
To give you brief idea about my current setup,
I have webserver on my production network, the main purpose of the webserver is that user can come on my intra net site and will access the report they want. I have developed couple of cgi scripts for this purpose.
As my webserver runs with lowest privilege, my cgi can not directly access the report file which are lying on the production env.
I have solved this problem by not directly accessing report file but by /bin/cat (I have set the sticky bit to /bin/cat, so no matter who runs the /bin/cat it is run as the privileged user)
but it becomes too combursum, when I release perl module(which is shared by my cgi and few other perl programs), as I have to change the permission on module every time they are released so that is is acceesible by webserver.
Is there any other better way to run webserver on production segment, where it will run as lowest privilage user but still access the production files or perl modules without such adjustments)
Best Regards
Nilesh
Nilesh,
any feedback?
any feedback?
ASKER
Thanks for you interest,
Yes OS is Unix, and the report files are on a partition which is mounted on the machine on which webserver is running.
The problem is
1> Report files have the permission set which doesn't allow user from group other than its owner.
and my webserver runs as nobody and hence all the scripts running from the webserver are not aving read permission on these reports.
2> The perl modules used by my cgi are shared by other perl programs and hence they are updated(released) time to time by their respective developer and they set the same permission as point 1. and hence i meed to change the permission on them manually so that my cgi scripts can read them.
what i am looking for:
1>A way by which I dont have to manually change the file permission on the modules everytime they are released.
2>A safe way to access the files(like report).
Hope these makes things more clearer..
-
Nilesh
Yes OS is Unix, and the report files are on a partition which is mounted on the machine on which webserver is running.
The problem is
1> Report files have the permission set which doesn't allow user from group other than its owner.
and my webserver runs as nobody and hence all the scripts running from the webserver are not aving read permission on these reports.
2> The perl modules used by my cgi are shared by other perl programs and hence they are updated(released) time to time by their respective developer and they set the same permission as point 1. and hence i meed to change the permission on them manually so that my cgi scripts can read them.
what i am looking for:
1>A way by which I dont have to manually change the file permission on the modules everytime they are released.
2>A safe way to access the files(like report).
Hope these makes things more clearer..
-
Nilesh
Nilesh,
Thank for the information.
So lets get back to the approach that you mentioned has worked before. The suid scripts.
I would suspect that if you could write a perlcode to utilize the modules, and make the perl-program suid.
Or (still the same suid perl modules). How about identifying the modules that is used in the report, and create a shell script to set the suid bit to that modules. You can run it off the cron let say every hour for example to do that.
This would be a much straightforward -- since we knew that by changing the suid bit on the modules, it worked.
cheers.
Thank for the information.
So lets get back to the approach that you mentioned has worked before. The suid scripts.
I would suspect that if you could write a perlcode to utilize the modules, and make the perl-program suid.
Or (still the same suid perl modules). How about identifying the modules that is used in the report, and create a shell script to set the suid bit to that modules. You can run it off the cron let say every hour for example to do that.
This would be a much straightforward -- since we knew that by changing the suid bit on the modules, it worked.
cheers.
ASKER
From your reply, It seems like I am not able to specify my requirement correctly..
first thing setuid means the script will run as the higher previleged user...and offcource then it can access any report but it is highly undesirable because I think the webserver should never run with higher previlege.
so I have set setuid bit on my c binary..and I do "system" or "``" in my cgi so that that binary reads the report..and returns the data to cgi.
so I was wondering Is there any other good way to achieve this...
Thanks for your time
Nilesh
first thing setuid means the script will run as the higher previleged user...and offcource then it can access any report but it is highly undesirable because I think the webserver should never run with higher previlege.
so I have set setuid bit on my c binary..and I do "system" or "``" in my cgi so that that binary reads the report..and returns the data to cgi.
so I was wondering Is there any other good way to achieve this...
Thanks for your time
Nilesh
Nilesh,
Yes, on most cases, it is not recommended to run any scripts with a priveleged id (root for example), and web server would refused to run as root. Unless you can ensure that there is not loophole in your script that can cause harm, I did not see any problem with that.
Back to your specific scenario, you did mentioned that it the scripts runs fine when it is running with suid (privelege user).
If you are looking for an alternative, I would say that, having a copy of the reports in other location, where it is protected (and only the webserver) can access it would be another approach. Maybe what you can do is to create a directory, and copy all the reports (if it is not too big) to this directory. You can do this as root (via cron job maybe), and set the permission properly so that only webserver (user: nobody: group: nogroup) can access this.
cheers
Yes, on most cases, it is not recommended to run any scripts with a priveleged id (root for example), and web server would refused to run as root. Unless you can ensure that there is not loophole in your script that can cause harm, I did not see any problem with that.
Back to your specific scenario, you did mentioned that it the scripts runs fine when it is running with suid (privelege user).
If you are looking for an alternative, I would say that, having a copy of the reports in other location, where it is protected (and only the webserver) can access it would be another approach. Maybe what you can do is to create a directory, and copy all the reports (if it is not too big) to this directory. You can do this as root (via cron job maybe), and set the permission properly so that only webserver (user: nobody: group: nogroup) can access this.
cheers
Nilesh,
Yes, on most cases, it is not recommended to run any scripts with a priveleged id (root for example), and web server would refused to run as root. Unless you can ensure that there is not loophole in your script that can cause harm, I did not see any problem with that.
Back to your specific scenario, you did mentioned that it the scripts runs fine when it is running with suid (privelege user).
If you are looking for an alternative, I would say that, having a copy of the reports in other location, where it is protected (and only the webserver) can access it would be another approach. Maybe what you can do is to create a directory, and copy all the reports (if it is not too big) to this directory. You can do this as root (via cron job maybe), and set the permission properly so that only webserver (user: nobody: group: nogroup) can access this.
cheers
Yes, on most cases, it is not recommended to run any scripts with a priveleged id (root for example), and web server would refused to run as root. Unless you can ensure that there is not loophole in your script that can cause harm, I did not see any problem with that.
Back to your specific scenario, you did mentioned that it the scripts runs fine when it is running with suid (privelege user).
If you are looking for an alternative, I would say that, having a copy of the reports in other location, where it is protected (and only the webserver) can access it would be another approach. Maybe what you can do is to create a directory, and copy all the reports (if it is not too big) to this directory. You can do this as root (via cron job maybe), and set the permission properly so that only webserver (user: nobody: group: nogroup) can access this.
cheers
ASKER
Hmm....
Copying the reports to diff. loc. seems good alternative, but they are really huge..and other systems(apart from webserver) also accesses them.
Any way I will think about that..
Thanks again..
Copying the reports to diff. loc. seems good alternative, but they are really huge..and other systems(apart from webserver) also accesses them.
Any way I will think about that..
Thanks again..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been abandoned. I will make a recommendation to the
moderators on its resolution in a week or two. I appreciate any comments
that would help me to make a recommendation.
<note>
In the absence of responses, I may recommend DELETE unless it is clear
to me that it has value as a PAQ. Silence = you don't care
</note>
Cd&
moderators on its resolution in a week or two. I appreciate any comments
that would help me to make a recommendation.
<note>
In the absence of responses, I may recommend DELETE unless it is clear
to me that it has value as a PAQ. Silence = you don't care
</note>
Cd&
CD&,
my last two comments looks promising to Nilesh. However, no confirmation is done on whether they implemented it.
I would say that should do it.
my last two comments looks promising to Nilesh. However, no confirmation is done on whether they implemented it.
I would say that should do it.
It is time to clean this abandoned question up.
I am putting it on a clean up list for CS.
<recommendation>
points to samri
</recommendation>
If anyone participating in the Q disagrees with the recommendation,
please leave a comment for the mods.
Cd&
I am putting it on a clean up list for CS.
<recommendation>
points to samri
</recommendation>
If anyone participating in the Q disagrees with the recommendation,
please leave a comment for the mods.
Cd&
As recommended
Chmod
Community Support Moderator @Experts Exchange
Chmod
Community Support Moderator @Experts Exchange
If you could give some examples, it would be a bit clearer on how your setups are.
At the moment, I am assuming that the reports and the webserver are on the same machine, and the OS is unix.
Another option that I can think of is to copy all the files that is required to some protected directory on interval basis. Or you could a cron job every minutes (any interval you choose), to sync the files, and after the files is copied, change the permission, so that only webserver can access it (read-only). Another option would be running suExec feature (if you are running Apache).
cheers.