[Gllug] (no subject)

Shevek shevek at anarres.org
Mon Feb 10 18:39:34 UTC 2003


On Mon, 10 Feb 2003, Dylan wrote:

> Hi All,
> 
> I'd like to give a user write access to the /srv/www/ directory (on his local 
> machine) so he can easily test local web pages. I figure I can create a 
> group, give the user membership, and change the group of the directory 
> accordingly.
> 
> A) Will I also have to make root a member of that group?

No. Anyway, the groups array in the process struct in the kernel is only 
of size 32 or so. root would run out of slots if it had to be explicitly a 
member of every group.

> B) Would this create a security loophole?

Almost definitely, to some small extent. Unix (and all major modern
operating systems?) uses the "swiss cheese" model of security. I wouldn't
worry about it though.

> C) Is this what the www group is for?

No. Perhaps. Maybe. But given the Unix security model, you might as well.  
The question is, "Are the www pages living in a sandbox, or does the
ability to write a www page imply ability to execute code as the user
under which Apache runs?"

This is probably undecidable for any given system except for those systems 
where the answer is "insecure". In that case, you might as well use the 
www group. Examples of the latter would be any embedded scripting sites (I 
presume the phrase 'test' implies at least this), mod_include, etc.

Remember to chmod the dirs g+s.

S.

-- 
Shevek
I am the Borg.

sub AUTOLOAD{my$i=$AUTOLOAD;my$x=shift;$i=~s/^.*://;print"$x\n";eval
qq{*$AUTOLOAD=sub{my\$x=shift;return unless \$x%$i;&{$x}(\$x);};};}

foreach my $i (3..65535) { &{'2'}($i); }


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list