1

I build a website that automatically manages a dedicated server. It does all sorts of things like creating users and apache settings to point to their home directory.

The home directories host game binaries, and the home folder can be accessed from the web, but only non-essential resource files (.wav .mdl .spr etc) can be accessed, that's how apache is configured. So for this to work, I need execute and read permissions on all files.

The problem is that binaries run in one user's home folder can access other users' home folder, read and write to files in there.

How can I make a user's home directory unaccessible to anyone else but him and via apache? Here's what the folder tree looks like:

https://i.stack.imgur.com/mXflN.png (no rep to show image directly)

Improve this question
1
  • @Matt the files are not created by apache, apache merely executes cp -rp to copy a folder and it's contents and keep all permissions intact. That means that all I have to do is change permissions on the "source" folder and the same permissions will be present on user files. Your answer seems unrelated though.
    – Aron
    Aug 12, 2015 at 21:03

3 Answers 3

Reset to default
2

Set an ACL on each user's home directory, to which Apache needs access. This lets you avoid silly tricks with groups, which can actually cause more problems than they solve.

For example:

setfacl -R -m u:httpd:rx,d:u:httpd:rx /home/username

will allow the httpd user to read everything in that directory, including subdirectories and any newly created files.

Improve this answer
8
  • so if I set permissions to 700 for all folders and files, and then execute this, will this give only httpd and the file owner access to it?
    – Aron
    Aug 12, 2015 at 21:24
  • That's correct.
    – Michael Hampton
    Aug 12, 2015 at 21:26
  • I get an Invalid argument near character 3 error on that command.
    – Aron
    Aug 12, 2015 at 22:05
  • 1
    Looks fine to me. Are you sure you typed it correctly?
    – Michael Hampton
    Aug 12, 2015 at 22:07
  • copy pasted it and just replaced "username" with "user4". [root@carnbox /]# setfacl -R -m u:httpd:rx,d:u:httpd:rx /home/user4 setfacl: Option -m: Invalid argument near character 3
    – Aron
    Aug 12, 2015 at 22:11
0

I'd suggest having each user's home directory being owned by the user and the user's group and only user and group can get into the directory (770), and then make Apache be a member of each user's group.

Also, be sure to implement some form of symlink attack protection (see https://documentation.cpanel.net/display/EA/Symlink+Race+Condition+Protection for some options - this link does not just apply to cPanel).

An approach which would keep things simple and not require symlink attack protection would be to use MPM ITK if you don't mind the speed hit (and see also the "Quirks and Warnings" on its homepage). In that case Apache runs as each individual website user.

You can also check out Multi-site hosting - important vulnerability being missed to secure sites from each other? for a discussion of multi-site hosting security and some other approaches.

Disclaimer: I can't promise that any suggestion above is 100% secure so use at your own risk =).

Improve this answer
1
  • 1
    I will probably set up containers because I need them anyways for resource management. That should keep things safe, right? I wanted to know how other people fix this though because I thought I understood permissions well enough, but I don't.
    – Aron
    Aug 12, 2015 at 21:21
0

After trying many, many solutions, including the ones listed here, I found best is to:

  1. Add www-data to the user's group, so that the users remain in final control of whether apache gets to host their files

  2. Tell apache where these folders are

<Directory /var/www/user/>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>
  1. Which brings me to my last point, since PHP-FPM 7.4, the /home folder is protected by default, no point trying to circumvent it just to have a folder in /home, which is why I specified /var/www/user in step 2. So, just chown that whole folder to the user

All the other methods had various issues ranging from irritating to being outright unusable, in particular, the user being unable to read/write to certain files creating by Apache, or having permissions that are too lax, resulting in security issues, or simply, too complicated to manage.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .