Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 248
  • Last Modified:

webserver setup and filesystem permission.

All,
I have a design question about webserver.

To give you brief idea about my current setup,

I have webserver on my production network, the main purpose of the webserver is that user can come on my intra net site and will access the report they want. I have developed couple of cgi scripts for this purpose.
As my webserver runs with lowest privilege, my cgi can not directly access the report file which are lying on the production env.

I have solved this problem by not directly accessing report file but by /bin/cat (I have set the sticky bit to /bin/cat, so no matter who runs the /bin/cat it is run as the privileged user)

but it becomes too combursum, when I release perl module(which is shared by my cgi and few other perl programs), as I have to change the permission on module every time they are released so that is is acceesible by webserver.

Is there any other better way to run webserver on production segment, where it will run as lowest privilage user but still access the production files or perl modules without such adjustments)

Best Regards
Nilesh
0
tambde
Asked:
tambde
  • 7
  • 3
  • 2
  • +1
1 Solution
 
samriCommented:
Nilesh,

If you could give some examples, it would be a bit clearer on how your setups are.

At the moment, I am assuming that the reports and the webserver are on the same machine, and the OS is unix.

Another option that I can think of is to copy all the files that is required to some protected directory on interval basis.  Or you could a cron job every minutes (any interval you choose), to sync the files, and after the files is copied, change the permission, so that only webserver can access it (read-only).  Another option would be running suExec feature (if you are running Apache).

cheers.
0
 
samriCommented:
Nilesh,

any feedback?
0
 
tambdeAuthor Commented:
Thanks for you interest,
Yes OS is Unix, and the report files are on a partition which is mounted on the machine on which webserver is running.

The problem is
1> Report files have the permission set which doesn't allow user from group other than its owner.
and my webserver runs as nobody and hence all the scripts running from the webserver are not aving read permission on these reports.

2> The perl modules used by my cgi are shared by other perl programs and hence they are updated(released) time to time by their respective developer and they set the same permission as point 1. and hence i meed to change the permission on them manually so that my cgi scripts can read them.

what i am looking for:
1>A way by which I dont have to manually change the file permission on the modules everytime they are released.
2>A safe way to access the files(like report).

Hope these makes things more clearer..

-
Nilesh
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
samriCommented:
Nilesh,

Thank for the information.

So lets get back to the approach that you mentioned has worked before.  The suid scripts.

I would suspect that if you could write a perlcode to utilize the modules, and make the perl-program suid.  

Or (still the same suid perl modules).  How about identifying the modules that is used in the report, and create a shell script to set the suid bit to that modules.  You can run it off the cron let say every hour for example to do that.

This would be a much straightforward -- since we knew that by changing the suid bit on the modules, it worked.

cheers.

0
 
tambdeAuthor Commented:
From your reply, It seems like I am not able to specify my requirement correctly..

first thing setuid means the script will run as the higher previleged user...and offcource then it can access any report but it is highly undesirable because I think the webserver should never run with higher previlege.

so I have set setuid bit on my c binary..and I do "system" or "``"  in my cgi so that that binary reads the report..and returns the data to cgi.

so I was wondering Is there any other good way to achieve this...

Thanks for your time
Nilesh
0
 
samriCommented:
Nilesh,

Yes, on most cases, it is not recommended to run any scripts with a priveleged id (root for example), and web server would refused to run as root.  Unless you can ensure that there is not loophole in your script that can cause harm, I did not see any problem with that.

Back to your specific scenario, you did mentioned that it the scripts runs fine when it is running with suid (privelege user).

If you are looking for an alternative, I would say that, having a copy of the reports in other location, where it is protected (and only the webserver) can access it would be another approach.  Maybe what you can do is to create a directory, and copy all the reports (if it is not too big) to this directory.  You can do this as root (via cron job maybe), and set the permission properly so that only webserver (user: nobody: group: nogroup) can access this.

cheers
0
 
samriCommented:
Nilesh,

Yes, on most cases, it is not recommended to run any scripts with a priveleged id (root for example), and web server would refused to run as root.  Unless you can ensure that there is not loophole in your script that can cause harm, I did not see any problem with that.

Back to your specific scenario, you did mentioned that it the scripts runs fine when it is running with suid (privelege user).

If you are looking for an alternative, I would say that, having a copy of the reports in other location, where it is protected (and only the webserver) can access it would be another approach.  Maybe what you can do is to create a directory, and copy all the reports (if it is not too big) to this directory.  You can do this as root (via cron job maybe), and set the permission properly so that only webserver (user: nobody: group: nogroup) can access this.

cheers
0
 
tambdeAuthor Commented:
Hmm....
Copying the reports to diff. loc. seems good alternative, but they are really huge..and other systems(apart from webserver) also accesses them.
Any way I will think about that..
Thanks again..
0
 
samriCommented:
Nilesh,

Another option would be creating a symbolic link to the report file.  Depending on how many report files there are, you could create a script to do that.  The approach would be almost similar the previous (copy file), but insted of the actual file, we would only create a link to the actual report file.  The symlik can be placed in a protected directory.  

This approach would require you to fix the httpd.conf to have FollowSymlink (and not SymLinksIfOwnerMatch).  

cheers.
0
 
COBOLdinosaurCommented:
This question has been abandoned. I will make a recommendation to the
moderators on its resolution in a week or two. I appreciate any comments
that would help me to make a recommendation.
<note>
   In the absence of responses, I may recommend DELETE unless it is clear
   to me that it has value as a PAQ.  Silence = you don't care
</note>

Cd&
0
 
samriCommented:
CD&,

my last two comments looks promising to Nilesh.  However, no confirmation is done on whether they implemented it.

I would say that should do it.

0
 
COBOLdinosaurCommented:
It is time to clean this abandoned question up.  

I am putting it on a clean up list for CS.

<recommendation>
points to samri

</recommendation>

If anyone participating in the Q disagrees with the recommendation,
please leave a comment for the mods.

Cd&
0
 
ChmodCommented:
As recommended

Chmod
Community Support Moderator @Experts Exchange
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 7
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now