[LON-CAPA-dev] www owned files
Martin Siegert
lon-capa-dev@mail.lon-capa.org
Sat, 5 Oct 2002 13:44:24 -0700
Hi,
I just ran
# find . -user www -print | grep -v '/proc' > /tmp/www-owned
on our lon-capa library server and ended up with a huge list of files.
This actually worries me: www is the username under which the web server
runs (RH7.3) - it shouldn't own anything (or close to nothing), because in
case of a compromise of the web server (see apache/mod_ssl worm)
the attacker has access to the www owned files. If there aren't any,
the attacker can't do much.
Under lon-capa www owns files under the following directory trees:
/var/lib/texmf/pk
this ought to be ok: these are fonts created by makefont on the fly.
/home/www
this is what www must own.
/home/httpd/cgi-bin
this scares me. These files should not be owned by www. They only have to
be readable by www. I am very tempted to run
# chown -R root:root /home/httpd/cgi-bin
Would this break anything?
/home/httpd/html (particularly the adm, res directories)
same thing as cgi-bin. scary. solution: chown to root. objections?
the res directory probably should be owned by some group that creates
resources, i.e., neither root nor www.
/home/httpd/html/lon-status
probably must be owned by www. It writes into this tree.
/home/httpd/lib
should be owned by root.
/home/httpd/lonIDs
probably must be owned by www. correct?
/home/httpd/lonUsers
seems to be the heart of lon-capa. must be owned by www. correct?
/home/httpd/perl, /home/httpd/perl/{lonc,lond,lonsql,searchcat.pl,cleanup_database.pl}
why are these owned by www?
/home/httpd/perl/{logs,tmp}
both probably must be owned by www
/home/httpd/{sockets,prtspool}
these probably need to be owned by www.
/home/<username>/public_html
why are these owned by www? They shouldn't, correct?
Cheers,
Martin
========================================================================
Martin Siegert
Academic Computing Services phone: (604) 291-4691
Simon Fraser University fax: (604) 291-4242
Burnaby, British Columbia email: siegert@sfu.ca
Canada V5A 1S6
========================================================================