[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-list
Subject:    Re: Apache and umask for document root
From:       Rick Stevens <ricks () alldigital ! com>
Date:       2016-10-28 1:35:29
Message-ID: 9057172d-1e23-32e2-a9c5-613a08eae81d () alldigital ! com
[Download RAW message or body]

On 10/27/2016 05:48 PM, Alex wrote:
> Hi,
> 
>>>> To only way to verify the change "took" is to have the httpd process
>>>> create a file and check the mode of the file created.
>>>
>>> Yes, thanks. I still need to test it for joomla through the apache
>>> user, but as I mentioned in a previous email a few minutes ago, it
>>> still appears to be 0022.
>>>
>>> How is it set for the normal user? I've modified /etc/bashrc (and even
>>> /etc/profile), and the apache user doesn't have a .bashrc or
>>> .bash_profile, and it's still 0022.
>>
>> Where did you set it? By default /etc/profile changes the umask for
>> interactive shells to 0002 under the following criteria:
>>
>>         if the user ID is > 199 AND
>>         the EUID (by name) is the same as the EGID (by name)
> 
> I misinterpreted that when I first read it.
> 
>> Otherwise the umask is set to 0022. By default, /etc/bashrc does
>> precisely the same for _non-login_ bash shells.
>>
>> Just to prove you can change the umask via /etc/profile:
>>
>>         [root@prophead ~]# su - apache -s /bin/bash -c "umask"
>>         0022
>>         [root@prophead ~]# echo "umask 0002" >>/etc/profile
>>         [root@prophead ~]# su - apache -s /bin/bash -c "umask"
>>         0002
>>
>> Note that this affects ALL users' interactive shells, so delete that
>> line we just added from the end of /etc/profile as soon as possible
>> after you're satisfied it works.
>>
>> I'd highly recommend you add code to both /etc/profile and /etc/bashrc
>> to selectively change the umask for the apache user (on my machine,
>> that's UID 48).
> 
> This is what I've done now, and it works well, thanks.
> 
>>> This is important because the "joomadmin" user will be manipulating
>>> these files via sFTP or scp.
>>>
>>> I've also tried modifying the Subsystem variable to first set the
>>> umask before running /usr/libexec/openssh/sftp-server, and the Windows
>>> sFTP client they're using apparently can't handle this.
>>
>> Uh, how? The /etc/ssh/sshd_config line should read:
>>
>>         Subsystem       sftp    /usr/libexec/openssh/sftp-server -u 0002
>>
>> and you must restart sshd via "systemctl restart sshd.service" as
>> /etc/ssh/sshd_config is only read when sshd starts up.
> 
> I had set umask prior to spawning sftp-server, as in 'umask 0002;
> /usr/libexec/openssh/sftp-server'.

Yeah, that's wrong. The "-u 0002" option to the sftp-server is there
specifically to handle this sort of thing.

> This whole issue started with trying to figure out which is the
> preferred method for managing access to files by apache and a web
> admin.
> 
> Many recommended suPHP, while others recommended other, more
> complicated modules like PHP-FPM. I was surprised there was no more
> comprehensive joomla or apache doc with recommended best practices or
> as part of their security documentation that described more clearly
> how best to secure the DocumentRoot while allowing remote access by
> other users.

PHP-FPM isn't that complicated. PHP runs as a completely separate
process (under its own user and group) from Apache. Apache communicates
with it via either IP or Unix sockets. Therefore the files that php
deals with can have completely different owners and groups and
permissions from what Apache has.

If you want to use the worker-thread model of Apache, you MUST use
PHP-FPM because PHP isn't thread-safe (well, PHP itself is thread-
safe...some of the libraries used in PHP aren't). In fact, the PHP
stuff doesn't even have to be on the same physical machine as Apache.
We actually have a set of systems that do nothing but run PHP and
Apache on the web nodes "talk" to them via IP sockets. We can keep
things separate that way and grow the number of PHP machines to handle
workloads (they're behind a load balancer with "sticky" mode set).
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks@alldigital.com -
- AIM/Skype: therps2        ICQ: 226437340           Yahoo: origrps2 -
-                                                                    -
-           Denial.  It ain't just a river in Egypt anymore!         -
----------------------------------------------------------------------
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-leave@lists.fedoraproject.org

[prev in list] [next in list] [prev in thread] [next in thread]