DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 5th September 2011
BinarySpike BinarySpike is offline
New User
 
Join Date: Aug 2011
Posts: 7
Default Squid and Apache user permissions

Okay, so I'm running squid as a cache and content filter. However whenever my script--ran by squid, whoami'd as _squid--tries to place anything in /var/www/htdocs/images/ it get's a "permission denied"

I've been following this guide to get me started:
https://help.ubuntu.com/community/Upside-Down-TernetHowTo


I've edited the script and all the commands to fit my directory layout. I think I'm messed up at this step though:
Code:
sudo mkdir /var/www/images
sudo chown www-data:www-data /var/www/images
sudo chmod 755 /var/www/images
sudo usermod -aG proxy www-data
Which I've done as

Code:
mkdir /var/www/htdocs/images
chown www:www /var/www/htdocs/images
chmod 755 /var/www/htdocs/images
usermod -G _squid www
However, the problem is two-fold. If I chown htdocs/images to _squid:_squid then the python/squid script can place files (verified) in htdocs/images but apache gets I get a "403 Forbidden".
Code:
usermod -G www _squid
To be honest I'm completely lost here
Code:
# ls -lR /var/www/htdocs/
total 4
drwxr-xr-x  2 www  www  512 Sep  5 12:53 images

/var/www/htdocs/images:
total 12
-rw-r-----  1 _squid  _squid  2222 Sep  5 05:02 test.gif


# cat /etc/group | grep _squid
www:*:67:_squid
_squid:*:515:www
Honestly it looks me to me like www and _squid should have access both ways.
Reply With Quote
  #2   (View Single Post)  
Old 5th September 2011
BinarySpike BinarySpike is offline
New User
 
Join Date: Aug 2011
Posts: 7
Default

Wow, after 8+ hours of working on this single permissions problem, I tried one thing after I created this thread:
Code:
chmod 777 /usr/local/bin/flip.pl
chmod 777 /var/www/htdocs/images/
And everything is working fine. (lol the Bold button is upside down)
Reply With Quote
  #3   (View Single Post)  
Old 27th September 2011
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

Eek! The evil chmod 777 rears it's ugly head!

Yes, chmod 777 will make your life easier, if you are *only* interested in making your life easier, I would recommend issuing chmod -R 777 / now Don't come back complaining about security issues though!

chmod 777 will make the file or directory writable by *everyone*. This includes accounts that are normally used only for system services such as apache, ftpd, ntpd, sendmail, bind, etc. The biggest reason these process run as a separate user and not root, is that this way they cannot files which they should not access. Such as /bin/ls or /etc/passwd ...
This means that if some 1337 haxx0r gains access to, for example, your sendmail through some vulnerability, he/she can only access/change a very limited number of files and (hopefully) the impact is limited.

So, in short I would recommend you never use chmod 777 unless you have a very clear picture of why it's 777 and not something else (One of the few examples of "legal" use is /tmp/)

----

Now, to actually answer the original question.

The guide you posted is for Ubuntu, not OpenBSD
Ubuntu is very different.

If I understand it correctly, you want to have /var/www/htdocs/images/ writable by both Apache and by Squid?

One method of doing that is creating a new group, put both the apache and squid users in that group, and making this directory group writable (Using chmod 775)

I don't know why /usr/local/bin/flip.pl needs to be chmod 777? Since this script is executed I would consider it to be extremely bad security practice to make this world-writable! Maybe the problem you had was that it wasn't executable by everyone? Try chmod 755
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #4   (View Single Post)  
Old 30th September 2011
BinarySpike BinarySpike is offline
New User
 
Join Date: Aug 2011
Posts: 7
Lightbulb

Quote:
Originally Posted by Carpetsmoker View Post
Eek! The evil chmod 777 rears it's ugly head!

chmod 777 will make the file or directory writable by *everyone*. This includes accounts that are normally used only for system services such as apache, ftpd, ntpd, sendmail, bind, etc. The biggest reason these process run as a separate user and not root, is that this way they cannot files which they should not access. Such as /bin/ls or /etc/passwd ...
This means that if some 1337 haxx0r gains access to, for example, your sendmail through some vulnerability, he/she can only access/change a very limited number of files and (hopefully) the impact is limited.

So, in short I would recommend you never use chmod 777 unless you have a very clear picture of why it's 777 and not something else (One of the few examples of "legal" use is /tmp/)
Understandably this makes it unsafe. I spent 6 hours the night before, and 2 the day after trying to get my groups right... just permissions... I'm sure I punched a fighter jet sized hole in my system and had to go back and clean as much of /etc/group up as I could.

Quote:
Originally Posted by Carpetsmoker View Post
Now, to actually answer the original question.

The guide you posted is for Ubuntu, not OpenBSD
Ubuntu is very different.

If I understand it correctly, you want to have /var/www/htdocs/images/ writable by both Apache and by Squid?

One method of doing that is creating a new group, put both the apache and squid users in that group, and making this directory group writable (Using chmod 775)

I don't know why /usr/local/bin/flip.pl needs to be chmod 777? Since this script is executed I would consider it to be extremely bad security practice to make this world-writable! Maybe the problem you had was that it wasn't executable by everyone? Try chmod 755
I adapted the information for Ubuntu to OpenBSD. I'm not new to unix style systems. My problem is that I have no experience in filesystem permissions. And a lot of mac os x articles tell you, "now: chmod 777 ./Desktop/script.sh" Which is explains why I thought flip.pl had to be 777.

The problem was that I added _squid to www and then tried giving www write permissions to the apache folder. However then it would remove apache's write permissions. I couldn't get both of them in a group that would function correctly. I'm obviously missing something.

You say "making this directory group writable (Using chmod 775), would that mean any group could read/write to that directory? How would I specify that group (for example www) as the only group writable?
Reply With Quote
  #5   (View Single Post)  
Old 30th September 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Without more info, here are some things to think about:

Permissions:

There are three read/write/execute permissions to set: world, group, and owner. Every file has a single group and a single owner. The owner uses the owner permissions, other users who are members of the group -- and who are NOT the owner -- use the group permissions, and users who are neither the owner nor in the group use the world permissions.

Directories can be searched or not searched with the execute bits (world, group, user). So a directory which is searchable for files (regardless of the file permission settings) needs to have the appropriate execute bits set.

Which directory is this again?

The built-in Apache server is chrooted by default. That may be adding to your confusion, as Apache's root is /var/www, not /. See FAQ 10.16 if you are using chrooted Apache.
Reply With Quote
  #6   (View Single Post)  
Old 30th September 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Here's an example. User B owns the file "shared_stuff", and it is assigned to the group "sharing".

The members of "sharing" are users A and C.

If user B sets the permissions to 060, then only users A and C can read and write the file. Nobody else. Not even user B, since he is not a member of the group.

(Yes, if User B has write/execute access to the directory that links to the file, he can rename or delete the directory entry. If that link is the last hard link to the file, the file will be deleted, the inode will be freed. But he can't read or write the data in the file.)

UserB:
Code:
$ grep sharing /etc/group
sharing:*:1020:userA,userC
$ ls -l shared_stuff
----rw---- userB   sharing    13 Sep 30 13:38 shared_stuff
$ cat shared_stuff
cat: shared_stuff    Permission denied
UserA:
Code:
$ cat shared_stuff
sharing data
$

Last edited by jggimi; 30th September 2011 at 05:51 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
uscanner0 permissions shep OpenBSD Installation and Upgrading 4 31st August 2010 05:27 AM
auditing apache user Dr_Death_UAE FreeBSD Security 0 8th February 2010 11:06 AM
squid 3.0 ccc FreeBSD Ports and Packages 4 16th February 2009 12:05 PM
permissions and FTP/HTTP Yuka FreeBSD General 0 20th October 2008 10:32 PM
Squid -> Privoxy -> Tor Peter_APIIT OpenBSD Security 3 17th June 2008 08:06 AM


All times are GMT. The time now is 11:07 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick