|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Squid and Apache user permissions
Okay, so I'm running squid as a cache and content filter. However whenever my script--ran by squid, whoami'd as _squid--tries to place anything in /var/www/htdocs/images/ it get's a "permission denied"
I've been following this guide to get me started: https://help.ubuntu.com/community/Upside-Down-TernetHowTo I've edited the script and all the commands to fit my directory layout. I think I'm messed up at this step though: Code:
sudo mkdir /var/www/images sudo chown www-data:www-data /var/www/images sudo chmod 755 /var/www/images sudo usermod -aG proxy www-data Code:
mkdir /var/www/htdocs/images chown www:www /var/www/htdocs/images chmod 755 /var/www/htdocs/images usermod -G _squid www Code:
usermod -G www _squid Code:
# ls -lR /var/www/htdocs/ total 4 drwxr-xr-x 2 www www 512 Sep 5 12:53 images /var/www/htdocs/images: total 12 -rw-r----- 1 _squid _squid 2222 Sep 5 05:02 test.gif # cat /etc/group | grep _squid www:*:67:_squid _squid:*:515:www |
|
|||
Wow, after 8+ hours of working on this single permissions problem, I tried one thing after I created this thread:
Code:
chmod 777 /usr/local/bin/flip.pl chmod 777 /var/www/htdocs/images/ |
|
|||
Quote:
Quote:
The problem was that I added _squid to www and then tried giving www write permissions to the apache folder. However then it would remove apache's write permissions. I couldn't get both of them in a group that would function correctly. I'm obviously missing something. You say "making this directory group writable (Using chmod 775), would that mean any group could read/write to that directory? How would I specify that group (for example www) as the only group writable? |
|
||||
Without more info, here are some things to think about:
Permissions: There are three read/write/execute permissions to set: world, group, and owner. Every file has a single group and a single owner. The owner uses the owner permissions, other users who are members of the group -- and who are NOT the owner -- use the group permissions, and users who are neither the owner nor in the group use the world permissions. Directories can be searched or not searched with the execute bits (world, group, user). So a directory which is searchable for files (regardless of the file permission settings) needs to have the appropriate execute bits set. Which directory is this again? The built-in Apache server is chrooted by default. That may be adding to your confusion, as Apache's root is /var/www, not /. See FAQ 10.16 if you are using chrooted Apache. |
|
||||
Here's an example. User B owns the file "shared_stuff", and it is assigned to the group "sharing".
The members of "sharing" are users A and C. If user B sets the permissions to 060, then only users A and C can read and write the file. Nobody else. Not even user B, since he is not a member of the group. (Yes, if User B has write/execute access to the directory that links to the file, he can rename or delete the directory entry. If that link is the last hard link to the file, the file will be deleted, the inode will be freed. But he can't read or write the data in the file.) UserB: Code:
$ grep sharing /etc/group sharing:*:1020:userA,userC $ ls -l shared_stuff ----rw---- userB sharing 13 Sep 30 13:38 shared_stuff $ cat shared_stuff cat: shared_stuff Permission denied Code:
$ cat shared_stuff sharing data $ Last edited by jggimi; 30th September 2011 at 05:51 PM. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
uscanner0 permissions | shep | OpenBSD Installation and Upgrading | 4 | 31st August 2010 05:27 AM |
auditing apache user | Dr_Death_UAE | FreeBSD Security | 0 | 8th February 2010 11:06 AM |
squid 3.0 | ccc | FreeBSD Ports and Packages | 4 | 16th February 2009 12:05 PM |
permissions and FTP/HTTP | Yuka | FreeBSD General | 0 | 20th October 2008 10:32 PM |
Squid -> Privoxy -> Tor | Peter_APIIT | OpenBSD Security | 3 | 17th June 2008 08:06 AM |