Solved

webserver setup and filesystem permission.

Posted on 2002-07-10
13
237 Views
Last Modified: 2010-04-07
All,
I have a design question about webserver.

To give you brief idea about my current setup,

I have webserver on my production network, the main purpose of the webserver is that user can come on my intra net site and will access the report they want. I have developed couple of cgi scripts for this purpose.
As my webserver runs with lowest privilege, my cgi can not directly access the report file which are lying on the production env.

I have solved this problem by not directly accessing report file but by /bin/cat (I have set the sticky bit to /bin/cat, so no matter who runs the /bin/cat it is run as the privileged user)

but it becomes too combursum, when I release perl module(which is shared by my cgi and few other perl programs), as I have to change the permission on module every time they are released so that is is acceesible by webserver.

Is there any other better way to run webserver on production segment, where it will run as lowest privilage user but still access the production files or perl modules without such adjustments)

Best Regards
Nilesh
0
Comment
Question by:tambde
  • 7
  • 3
  • 2
  • +1
13 Comments
 
LVL 15

Expert Comment

by:samri
ID: 7144069
Nilesh,

If you could give some examples, it would be a bit clearer on how your setups are.

At the moment, I am assuming that the reports and the webserver are on the same machine, and the OS is unix.

Another option that I can think of is to copy all the files that is required to some protected directory on interval basis.  Or you could a cron job every minutes (any interval you choose), to sync the files, and after the files is copied, change the permission, so that only webserver can access it (read-only).  Another option would be running suExec feature (if you are running Apache).

cheers.
0
 
LVL 15

Expert Comment

by:samri
ID: 7148470
Nilesh,

any feedback?
0
 

Author Comment

by:tambde
ID: 7149046
Thanks for you interest,
Yes OS is Unix, and the report files are on a partition which is mounted on the machine on which webserver is running.

The problem is
1> Report files have the permission set which doesn't allow user from group other than its owner.
and my webserver runs as nobody and hence all the scripts running from the webserver are not aving read permission on these reports.

2> The perl modules used by my cgi are shared by other perl programs and hence they are updated(released) time to time by their respective developer and they set the same permission as point 1. and hence i meed to change the permission on them manually so that my cgi scripts can read them.

what i am looking for:
1>A way by which I dont have to manually change the file permission on the modules everytime they are released.
2>A safe way to access the files(like report).

Hope these makes things more clearer..

-
Nilesh
0
 
LVL 15

Expert Comment

by:samri
ID: 7149427
Nilesh,

Thank for the information.

So lets get back to the approach that you mentioned has worked before.  The suid scripts.

I would suspect that if you could write a perlcode to utilize the modules, and make the perl-program suid.  

Or (still the same suid perl modules).  How about identifying the modules that is used in the report, and create a shell script to set the suid bit to that modules.  You can run it off the cron let say every hour for example to do that.

This would be a much straightforward -- since we knew that by changing the suid bit on the modules, it worked.

cheers.

0
 

Author Comment

by:tambde
ID: 7151836
From your reply, It seems like I am not able to specify my requirement correctly..

first thing setuid means the script will run as the higher previleged user...and offcource then it can access any report but it is highly undesirable because I think the webserver should never run with higher previlege.

so I have set setuid bit on my c binary..and I do "system" or "``"  in my cgi so that that binary reads the report..and returns the data to cgi.

so I was wondering Is there any other good way to achieve this...

Thanks for your time
Nilesh
0
 
LVL 15

Expert Comment

by:samri
ID: 7151978
Nilesh,

Yes, on most cases, it is not recommended to run any scripts with a priveleged id (root for example), and web server would refused to run as root.  Unless you can ensure that there is not loophole in your script that can cause harm, I did not see any problem with that.

Back to your specific scenario, you did mentioned that it the scripts runs fine when it is running with suid (privelege user).

If you are looking for an alternative, I would say that, having a copy of the reports in other location, where it is protected (and only the webserver) can access it would be another approach.  Maybe what you can do is to create a directory, and copy all the reports (if it is not too big) to this directory.  You can do this as root (via cron job maybe), and set the permission properly so that only webserver (user: nobody: group: nogroup) can access this.

cheers
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 15

Expert Comment

by:samri
ID: 7151979
Nilesh,

Yes, on most cases, it is not recommended to run any scripts with a priveleged id (root for example), and web server would refused to run as root.  Unless you can ensure that there is not loophole in your script that can cause harm, I did not see any problem with that.

Back to your specific scenario, you did mentioned that it the scripts runs fine when it is running with suid (privelege user).

If you are looking for an alternative, I would say that, having a copy of the reports in other location, where it is protected (and only the webserver) can access it would be another approach.  Maybe what you can do is to create a directory, and copy all the reports (if it is not too big) to this directory.  You can do this as root (via cron job maybe), and set the permission properly so that only webserver (user: nobody: group: nogroup) can access this.

cheers
0
 

Author Comment

by:tambde
ID: 7152096
Hmm....
Copying the reports to diff. loc. seems good alternative, but they are really huge..and other systems(apart from webserver) also accesses them.
Any way I will think about that..
Thanks again..
0
 
LVL 15

Accepted Solution

by:
samri earned 50 total points
ID: 7152521
Nilesh,

Another option would be creating a symbolic link to the report file.  Depending on how many report files there are, you could create a script to do that.  The approach would be almost similar the previous (copy file), but insted of the actual file, we would only create a link to the actual report file.  The symlik can be placed in a protected directory.  

This approach would require you to fix the httpd.conf to have FollowSymlink (and not SymLinksIfOwnerMatch).  

cheers.
0
 
LVL 53

Expert Comment

by:COBOLdinosaur
ID: 8148422
This question has been abandoned. I will make a recommendation to the
moderators on its resolution in a week or two. I appreciate any comments
that would help me to make a recommendation.
<note>
   In the absence of responses, I may recommend DELETE unless it is clear
   to me that it has value as a PAQ.  Silence = you don't care
</note>

Cd&
0
 
LVL 15

Expert Comment

by:samri
ID: 8149531
CD&,

my last two comments looks promising to Nilesh.  However, no confirmation is done on whether they implemented it.

I would say that should do it.

0
 
LVL 53

Expert Comment

by:COBOLdinosaur
ID: 8187152
It is time to clean this abandoned question up.  

I am putting it on a clean up list for CS.

<recommendation>
points to samri

</recommendation>

If anyone participating in the Q disagrees with the recommendation,
please leave a comment for the mods.

Cd&
0
 

Expert Comment

by:Chmod
ID: 8240457
As recommended

Chmod
Community Support Moderator @Experts Exchange
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Now that Expression Web 4.0 (http://www.microsoft.com/expression/products/Upgrade.aspx) is free if you buy or have the full version of Expression Web 3.0, now is the best time to  migrate from FrontPage to Expression Web (http://www.frontpage-to-exp…
Turn A Profile Picture Into A Cartoon Using Photoshop And Illustrator This tutorial will teach you how to make a cartoon style image out of a regular picture. I have tried to keep the tutorial as simple as possible. I used Adobe CS4 for this tuto…
The purpose of this video is to demonstrate how to insert an Iframe into WordPress. This will be demonstrated using a Windows 8 PC. Go to your WordPress login page. This will look like the following: mywebsite.com/wp-login.php : Open Page or Post…
The purpose of this video is to demonstrate how to Test the speed of a WordPress Website. Site Speed is an important metric of a site’s health. Slow site speed can result in viewers leaving your site quickly and not seeing your content. This…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now