Linux Permissions – How to Configure Apache Access to Files Securely

At my school we have a shared server environment with several users and several groups.

Relavent Groups:

students

daemon (runs apache)

I want to allow students to be able to have full access to files they own and no access to other students files.Two different students should not be able to even see each others files.

I also want apache to be able to read and execute all student files. Specifically I want apache to be able to read a password file owned by each student, I also want the owner of the password file to have full access to it.

From my understanding, the best way to do this is to change the group owner of the password file to be apache.

So after reading this,

https://serverfault.com/questions/357108/what-are-the-best-linux-permissions-to-use-for-my-website

it seems a simple chgrp would fix it.

But then I run into this:

You must be owner of the file(s) as well as a member of the destination group (or root) to use this operation.

So each of the students are not a part of the daemon group, they cannot run this command.
Giving them that group would be pointless in that they would be able to see other student's password files as well.

From the previous thread I gathered that the current security settings are unfit and I have scheduled a meeting with my system administrator tommarrow.

But I'm still unsure what I should ask my systemadmin to do.

I can't really ask him to manually change the permissions for every password file on the server, the filenames and locations are different and many students are not even set up yet.

Allowing students to have full access to chgrp seems dangerous,

My inclination seems to ask him to create some type of script that would prompt the student for a file and then run chgrp in place of the student, thus giving apache group ownership. This seems viable, but also pretty complicated as I'm still pretty new to Linux. Would he be able to do something like this easily?

I've also considered ACL's but my train of thought goes right back to chgrp, giving students access to setacl seems dangerous.

Best Answer

ACLs are the answer. The students don't need any special permission to run setfacl, a user can set the ACL of any file that he owns.

If you need to set up your system for ACLs, see Make all new files in a directory accessible to a group

Tell students that if they need a file to be accessible to Apache, then they must run

setfacl -m group:daemon:r ~/path/to/password.file
setfacl -m group:daemon:x ~ ~/path ~/path/to

The x permission on the directories is necessary to access files (including subdirectories) in these directories.

Best Answer

Related Solutions

Apache and PHP – Recommended User and File Permissions for /var/www

Linux – How to create a hierarchy of UNIX groups as below

Related Question