Apache – How to set secure permissions for multiple users and multiple websites

apache-httpdgentoopermissionsPHPSecurity

On a Gentoo 3.2.12 server with apache2+php, there are several websites running:

/www
    /website1
    /website2
    ...etc

The apache user should have read-only access to all the websites. There are also a few folders inside each website where apache should have read-write access (upload folders and the like).

There are several people who work on these websites. Each person should have read-write access to the website(s) they work on, but not others. Also, they should be able to set permissions (within their websites) so that apache can write to some folders (well, if they create a new upload folder or something).

Other users shouldn't have access to /www at all.

Can this be done and how?

(PS. Also… since these people can upload PHP scripts which are then executed in the context of Apache, I guess they can access other websites too, indirectly… is it possible to secure this as well? I can't think of a way, but who knows…)

Best Answer

One way would be this:

Have a group for each site, have the persons in that group use umask 0002 so the files they create are read/write for the group and readable for others by default.
chmod a-rwx the root directory of each site, to prevent access by people outside the allowed group.
Enable ACLs for your file system, and setfacl -m user:apache:rx that directory to grant read access to the apache user, in addition to the other permissions.

As to the files created by the apache process:

Reading files created by the apache user should be possible for the relevant group, as long as they are created world-readable.
Deleting files is possible as long as they reside in a group-writable directory.
If that is not enough, you could allow your users to sudo to the apache user. Perhaps only to execute specific commands, e.g. add group write permissions using ACLs.

But as you stated, all of the read restrictions can be circumvented if users can run arbitrary scripts as the apache user. To counter that, you could try to have the scripts of one site executed as a specific user in the corresponding group. I believe there is a way to set this up using mod_fcgid. Otherwise apache[suexec] and php[cgi] might work for you.

To get even better isolation, you'd have to have multiple apache processes, running as different users, and perhaps even chrooted to different directories. Or in different OpenVZ units, or different Xen domUs, or on different hardware. As you can see, there are a lot of different isolation levels, each providing better isolation than the one before, at the cost of mre resource demands.

Related Solutions

Ubuntu – How to configure permissions to allow gedit, apache, and an IDE play together

What I recommend doing has been mostly described in this Ask Ubuntu question.

For this particular case I would install suPHP which in short allows you to execute PHP scripts as your user under Apache.

By doing the following:

sudo chown -R youruser:youruser /var/www
find /var/www/ -type d -exec chmod 0755 {} \;
find /var/www/ -type f -exec chmod 0644 {} \;

Install suphp-common and libapache2-mod-suphp from this ppa (What are PPAs and how do I use them?)

Disable mod_php5 and enable mod_suphp

sudo a2enmod suphp
sudo a2dismod php5

Update your virtual hosts to include this line at the bottom of them:

suPHP_UserGroup youruser youruser

Replacing youruser with the user you use to edit files on the server. Restart Apache.

From this point forward Apache will execute all php scripts are your user, which means they can be owned by your user/group and there is no need to use crazy permissions like 777. Since everything is run as your user all files created by the php scripts will be owned by your user as well! There are many other cool things you can do with suPHP; however, from what it sounds like this is all you'll need to get started.

Apache and PHP – Recommended User and File Permissions for /var/www

not root
not root
SuEXEC
Depends. 644 for files and 755 for folders are a safeish default.

Don't change ownership of anything to www-data unless you want php to be able to edit the contents of that file/folder

Irrespective of anything else you do: folders need read and execute permissions for the user to find files; files need read permissions for the user to read them. If you get any permissions errors when changing things - you've managed to remove these fundamentally required permissions.

If you are not writing any files via your php application, you can leave files owned by you:you. In this circumstance the world permission (xx4/5) is the one which applies.

If you leave the files as owned by you:you with file permissions of 644 (files) what that would mean is that only you can edit the website files - www-data is not you - so it cannot edit the files.

If you want to restrict access to apache + you and block out all other access chown -R you:www-data *. With file permissions of 640 and folder permissions of 750 you can edit, www-data can read - because then apache reads the group permission (x4/5x).

Restrict to a minimum the paths you allow apache/php to write to - if there's a tmp dir the application needs to write to - allow it to write to that folder only - and for any writable locations if at all possible make sure it's outside the document root or take steps to ensure this writable path is not web-accessible.

Note that "you" should not be root. Allowing direct ssh access as root is an indicator of other security lapses (such as not disallowing password login), but that's a whole bunch of questions unto itself.

Best Answer

Related Solutions

Ubuntu – How to configure permissions to allow gedit, apache, and an IDE play together

Apache and PHP – Recommended User and File Permissions for /var/www

Related Question