Solved

webserver setup and filesystem permission.

Posted on 2002-07-10
13
238 Views
Last Modified: 2010-04-07
All,
I have a design question about webserver.

To give you brief idea about my current setup,

I have webserver on my production network, the main purpose of the webserver is that user can come on my intra net site and will access the report they want. I have developed couple of cgi scripts for this purpose.
As my webserver runs with lowest privilege, my cgi can not directly access the report file which are lying on the production env.

I have solved this problem by not directly accessing report file but by /bin/cat (I have set the sticky bit to /bin/cat, so no matter who runs the /bin/cat it is run as the privileged user)

but it becomes too combursum, when I release perl module(which is shared by my cgi and few other perl programs), as I have to change the permission on module every time they are released so that is is acceesible by webserver.

Is there any other better way to run webserver on production segment, where it will run as lowest privilage user but still access the production files or perl modules without such adjustments)

Best Regards
Nilesh
0
Comment
Question by:tambde
  • 7
  • 3
  • 2
  • +1
13 Comments
 
LVL 15

Expert Comment

by:samri
ID: 7144069
Nilesh,

If you could give some examples, it would be a bit clearer on how your setups are.

At the moment, I am assuming that the reports and the webserver are on the same machine, and the OS is unix.

Another option that I can think of is to copy all the files that is required to some protected directory on interval basis.  Or you could a cron job every minutes (any interval you choose), to sync the files, and after the files is copied, change the permission, so that only webserver can access it (read-only).  Another option would be running suExec feature (if you are running Apache).

cheers.
0
 
LVL 15

Expert Comment

by:samri
ID: 7148470
Nilesh,

any feedback?
0
 

Author Comment

by:tambde
ID: 7149046
Thanks for you interest,
Yes OS is Unix, and the report files are on a partition which is mounted on the machine on which webserver is running.

The problem is
1> Report files have the permission set which doesn't allow user from group other than its owner.
and my webserver runs as nobody and hence all the scripts running from the webserver are not aving read permission on these reports.

2> The perl modules used by my cgi are shared by other perl programs and hence they are updated(released) time to time by their respective developer and they set the same permission as point 1. and hence i meed to change the permission on them manually so that my cgi scripts can read them.

what i am looking for:
1>A way by which I dont have to manually change the file permission on the modules everytime they are released.
2>A safe way to access the files(like report).

Hope these makes things more clearer..

-
Nilesh
0
 
LVL 15

Expert Comment

by:samri
ID: 7149427
Nilesh,

Thank for the information.

So lets get back to the approach that you mentioned has worked before.  The suid scripts.

I would suspect that if you could write a perlcode to utilize the modules, and make the perl-program suid.  

Or (still the same suid perl modules).  How about identifying the modules that is used in the report, and create a shell script to set the suid bit to that modules.  You can run it off the cron let say every hour for example to do that.

This would be a much straightforward -- since we knew that by changing the suid bit on the modules, it worked.

cheers.

0
 

Author Comment

by:tambde
ID: 7151836
From your reply, It seems like I am not able to specify my requirement correctly..

first thing setuid means the script will run as the higher previleged user...and offcource then it can access any report but it is highly undesirable because I think the webserver should never run with higher previlege.

so I have set setuid bit on my c binary..and I do "system" or "``"  in my cgi so that that binary reads the report..and returns the data to cgi.

so I was wondering Is there any other good way to achieve this...

Thanks for your time
Nilesh
0
 
LVL 15

Expert Comment

by:samri
ID: 7151978
Nilesh,

Yes, on most cases, it is not recommended to run any scripts with a priveleged id (root for example), and web server would refused to run as root.  Unless you can ensure that there is not loophole in your script that can cause harm, I did not see any problem with that.

Back to your specific scenario, you did mentioned that it the scripts runs fine when it is running with suid (privelege user).

If you are looking for an alternative, I would say that, having a copy of the reports in other location, where it is protected (and only the webserver) can access it would be another approach.  Maybe what you can do is to create a directory, and copy all the reports (if it is not too big) to this directory.  You can do this as root (via cron job maybe), and set the permission properly so that only webserver (user: nobody: group: nogroup) can access this.

cheers
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 15

Expert Comment

by:samri
ID: 7151979
Nilesh,

Yes, on most cases, it is not recommended to run any scripts with a priveleged id (root for example), and web server would refused to run as root.  Unless you can ensure that there is not loophole in your script that can cause harm, I did not see any problem with that.

Back to your specific scenario, you did mentioned that it the scripts runs fine when it is running with suid (privelege user).

If you are looking for an alternative, I would say that, having a copy of the reports in other location, where it is protected (and only the webserver) can access it would be another approach.  Maybe what you can do is to create a directory, and copy all the reports (if it is not too big) to this directory.  You can do this as root (via cron job maybe), and set the permission properly so that only webserver (user: nobody: group: nogroup) can access this.

cheers
0
 

Author Comment

by:tambde
ID: 7152096
Hmm....
Copying the reports to diff. loc. seems good alternative, but they are really huge..and other systems(apart from webserver) also accesses them.
Any way I will think about that..
Thanks again..
0
 
LVL 15

Accepted Solution

by:
samri earned 50 total points
ID: 7152521
Nilesh,

Another option would be creating a symbolic link to the report file.  Depending on how many report files there are, you could create a script to do that.  The approach would be almost similar the previous (copy file), but insted of the actual file, we would only create a link to the actual report file.  The symlik can be placed in a protected directory.  

This approach would require you to fix the httpd.conf to have FollowSymlink (and not SymLinksIfOwnerMatch).  

cheers.
0
 
LVL 53

Expert Comment

by:COBOLdinosaur
ID: 8148422
This question has been abandoned. I will make a recommendation to the
moderators on its resolution in a week or two. I appreciate any comments
that would help me to make a recommendation.
<note>
   In the absence of responses, I may recommend DELETE unless it is clear
   to me that it has value as a PAQ.  Silence = you don't care
</note>

Cd&
0
 
LVL 15

Expert Comment

by:samri
ID: 8149531
CD&,

my last two comments looks promising to Nilesh.  However, no confirmation is done on whether they implemented it.

I would say that should do it.

0
 
LVL 53

Expert Comment

by:COBOLdinosaur
ID: 8187152
It is time to clean this abandoned question up.  

I am putting it on a clean up list for CS.

<recommendation>
points to samri

</recommendation>

If anyone participating in the Q disagrees with the recommendation,
please leave a comment for the mods.

Cd&
0
 

Expert Comment

by:Chmod
ID: 8240457
As recommended

Chmod
Community Support Moderator @Experts Exchange
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Turn A Profile Picture Into A Cartoon Using Photoshop And Illustrator This tutorial will teach you how to make a cartoon style image out of a regular picture. I have tried to keep the tutorial as simple as possible. I used Adobe CS4 for this tuto…
This article provides a case study on how our local youth baseball league deployed a new website, including the platform selection, implementation and benefits to the league.
The purpose of this video is to demonstrate how to create a Printer Friendly PDF on a WordPress Page. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome Screenshot” Google Chrome Extension, and SmallPDF.com Log…
The purpose of this video is to demonstrate how to prevent comment spam on a WordPress Website. This will be demonstrated using a Windows 8 PC. Plugin Akismet will be used. Go to your WordPress login page. This will look like the following: myw…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now