Article 13684 at 08/08/02 23:29:32 From: bq (at mark) aviaweb.com Subject: [coba-e:13684] Re: apache suexec

Index: [Article Count Order] [Thread]
Date:  Sat, 2 Aug 2008 10:29:09 -0400
From:  "Stephanie Sullivan" <bq (at mark) aviaweb.com>
Subject:  [coba-e:13684] Re: apache suexec
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <014c01c8f4ac$21412990$63c37cb0$@com>
In-Reply-To:  <607101c8f47c$d721d5a0$967da8c0@thomasferrari>
References:  <0b9201c8f2e4$d3d005f0$967da8c0 (at mark) thomasferrari> <722224.90970.qm (at mark) web65612.mail.ac4.yahoo.com> <00a001c8f308$13d5b640$3b8122c0$ (at mark) com> <48923324.8090704 (at mark) dogsbody.org> <001a01c8f36d$8718bf70$954a3e50$ (at mark) com> <109e01c8f3a2$65694b30$967da8c0 (at mark) thomasferrari> <015f01c8f3d8$a90742d0$fb15c870$ (at mark) com> <5d3f01c8f3e0$68275090$967da8c0 (at mark) thomasferrari> <019f01c8f3f1$722f4eb0$568dec10$ (at mark) com> <5fb701c8f473$78177a00$967da8c0 (at mark) thomasferrari> <607101c8f47c$d721d5a0$967da8c0 (at mark) thomasferrari>
X-Mail-Count: 13684

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas,

Here is what I have on my vsite. 

The "y"folder - 
drwxr-sr-x  2 apache site1 4096 Aug  1 11:58 y

The file inside - 
- -rw-r--r--  1 apache site1 3 Aug  1 11:58 data.txt

The file permissions reflect the system's umask of 0022 - which is only
owner writable.

Server version: Apache/2.0.52
Server built:   Jan 14 2008 08:20:27

Suexec will not affect php programs unless php is run as a cgi. Not the
normal case in apache.
See http://httpd.apache.org/docs/2.0/suexec.html

Perhaps related (permissions) is that /etc/proftpd.conf specified a umask of
002 (create with group write enabled) but files are created with the system
default umask. It seems to use the tighter umask. Maybe good practice for
the system but a real pain for sites where more than one site admin wants to
manage a site! 

	Thanks,
		-Stephanie

Stephanie Sullivan, President
AVIA web development and hosting
a division of AVIA Consulting, Inc.
GSEC Certified IT Security Consultant
Phone: 508-393-0750
Mobile: 508-954-2842
FAX: 508-975-0118



> -----Original Message-----
> From: thomas [mailto:tfj-online (at mark) mail.tele.dk]
> Sent: Saturday, August 02, 2008 4:51 AM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:13683] Re: apache suexec
> 
> 
> > From: "Stephanie Sullivan"
> >> I just modified the script to be:
> >>
> >> <?php
> >> mkdir('y');
> >> $fp = fopen('y/data.txt', 'w');
> >> fwrite($fp, '1');
> >> fwrite($fp, '23');
> >> fclose($fp);
> >> ?>
> >>
> >> The group ownership is still site1 on the file in the y folder.
> Seems to
> >> work for ownership. :-)
> >
> > Sorry still does not work - I just dont get it!
> > What are you permissions on the /web folder?
> > 2777
> > drwxrwsrwx
> >
> > Have you changed anything in the vhost conf file for siteX.include
> >
> > or anything else in the httpd.conf besides commenting out the
> "Group
> > apache" part
> >
> > Witch version og apache and suexec are you running ?
> > #httpd -V
> > #suexec -V
> 
> 
> This is after testing some more
> 
> the folder "y" created from php is created with permissions
> drwxrwxrwx
> 
> and the folder has the correct group "site1"
> 
> But the files (data.txt) inside the folder have group "4294967295"
> 
> if i create a new file to the folder "y" it still has group
> "4294967295"
> 
> But if I change the permissions on folder y to
> drwxrwsrwx
> 
> Now the files created to the folder have the correct group "site1"
> 
> so somehow this problem is connected to the "s" bit on the
> permissions.
> 
> How can I make this default for new files created?
> 
> >From a security viewpoint I'm not too happy about the full
> permissions
> drwxrwxrwx or even drwxrwsrwx!
> 
> 
> --
> Thomas Jensen
> 



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: us-ascii

wj8DBQFIlG82RmFh0h8+YHsRAj9aAKCRop4geKigdclDQ7rMMpNfT8ovDgCfboy1
iEY1jeIwrpurR7Cmg5PlUoY=
=HIsq
-----END PGP SIGNATURE-----