Secure File Permissions
From JinzoraWiki
Contents |
Introduction
This is a quick overview about Unix file permissions and a way of setting up Jinzora using Apache on Linux in a way that we feel is secure. Please note: Security is your responsibility, not ours. This article comes with absolutely no warranty. We are not liable for any consequences you might suffer after following this article.
Basics
Unix/Linux file permissions are organized in 3 groups containing the permissions to read, write and execute for the file owner, file group and other user plus some special modes. For a closer look see Wikipedia article File system permissions. A popular pitfall is that you need execution rights on directories to be able to list the content.
Secure Apache
First you have to secure your Apache web server. Current linux distros should have done this, but you better double check it. We think it's good practice to run Apache using a dedicated user and group. Look for the credentials Apache currently uses. The way to check this, depends on the Linux distro of choice. Most populair Linux distro's support the 'ps' command to show the user of a running process:
ps -ef | grep [process name]
The process name is usually 'apache' or 'http', so you'd enter the command as one of the following:
ps -ef | grep apache ps -ef | grep http
You could also check Apache's configuration file for the user and group. Off course, you need to make sure you're looking at the right config file! On most large distro's the file is located at /etc/apache2/httpd.conf or /etc/apache2/apache2.conf.
Note we are only mentioning Apache version 2, since we think current software versions are generally more secure than older ones.
Normally, both the user and group are set to either 'www-data' or 'apache', depending on your distro. We will use 'apache' in the rest of this article. Remember to replace it with 'www-data' if required by your setup.
This user should not be allowed to log in. So verify that the login shell is set to false for your Apache user. The easiest way is to use grep apache /etc/passwd and check for '/bin/false'.
Secure Jinzora Directory
The goal is to setup Jinzora's web directory (/www/jinzora in this example) in a way Apache can access it, but without doing a 'chmod -R 777' (equivalent to 'full control' on Windows) which is a high security risk! I suggest managing access to the directory by group permission, so the file owner will still be root or youself. So for the basic setup we'd set:
chown -R [username_or_root] /www/jinzora chgrp -R apache /www/jinzora chmod -R a-rwx,u=rwX,g=rX /www/jinzora
The directory is now secure, but not writeable to Jinzora. So we set group write permissions to the directories only as well as the 'setgid bit', so every new file wil inherit it's file group from the directory. In addition we set the 'sticky bit' to make the directories 'append only'. So even a file has group write permissions it will not removeable if the owner doesn't match (thou you can write data into it). If you are using pathnames with whitespaces you have to use -print0 on find and -0 (zero) on xargs.
find /www/jinzora -type d -print0 | xargs -0 chmod g+ws,+t
Now Apache/Jinzora can write into this directory. Last step is to grant group write permissions to files which may be written (all copies of settings.php), or change the owner to Apache for all files which may be deleted by Jinzora (all temp-files, caches etc.).
find /www/jinzora -name settings.php -print | xargs chmod g+w find /www/jinzora/data/images -name *.jpg -print0 | xargs -0 chown apache chown -R apache /www/jinzora/data/database/* chown -R apache /www/jinzora/temp/*
Secure Media Direcory
Create a new user group for your Jinzora media repository (the group is called 'media' in this example). Then add at least 'apache' to that group.
groupadd media groupmems -a apache -g media
Now you can change all permissions of the files in your repository (the repository is '/audio' in this example):
chown -R <your_username> /audio chgrp -R media /audio chmod -R a-rwx,u=rwX,g=rX /audio
This basic setup should work for most cases. But if you want Jinzora to write data to this directories, you have to grant write permissions for the group to the directories. Also, to prevent file deletion you should set the 'sticky bit' to restrict deletion to file owner. In addition you could set the 'setgid bit' to the directories which will set the file group of new created files to the file group of the directory (very handy - sometimes).
find /audio -type d -print0 | xargs -0 chmod +t,g+ws
Enjoy a more secure Jinzora setup! When you're doing a Linux Installation with shell access you can now skip the section 'Setting Permissions' and go straight to the Web Based Installer Step 1.
--Quasimodo 11:51, 28 February 2008 (CET)
