[LON-CAPA-dev] www owned files

Martin Siegert lon-capa-dev@mail.lon-capa.org
Sat, 5 Oct 2002 13:44:24 -0700


Hi,

I just ran 

# find . -user www -print | grep -v '/proc' > /tmp/www-owned

on our lon-capa library server and ended up with a huge list of files.
This actually worries me: www is the username under which the web server
runs (RH7.3) - it shouldn't own anything (or close to nothing), because in
case of a compromise of the web server (see apache/mod_ssl worm) 
the attacker has access to the www owned files. If there aren't any,
the attacker can't do much.

Under lon-capa www owns files under the following directory trees:

/var/lib/texmf/pk
this ought to be ok: these are fonts created by makefont on the fly.

/home/www
this is what www must own.

/home/httpd/cgi-bin
this scares me. These files should not be owned by www. They only have to
be readable by www. I am very tempted to run 
# chown -R root:root /home/httpd/cgi-bin
Would this break anything?

/home/httpd/html (particularly the adm, res directories)
same thing as cgi-bin. scary. solution: chown to root. objections?
the res directory probably should be owned by some group that creates
resources, i.e., neither root nor www.

/home/httpd/html/lon-status
probably must be owned by www. It writes into this tree.

/home/httpd/lib
should be owned by root.

/home/httpd/lonIDs
probably must be owned by www. correct?

/home/httpd/lonUsers
seems to be the heart of lon-capa. must be owned by www. correct?

/home/httpd/perl, /home/httpd/perl/{lonc,lond,lonsql,searchcat.pl,cleanup_database.pl}
why are these owned by www?

/home/httpd/perl/{logs,tmp}
both probably must be owned by www

/home/httpd/{sockets,prtspool}
these probably need to be owned by www.

/home/<username>/public_html
why are these owned by www? They shouldn't, correct?

Cheers,
Martin

========================================================================
Martin Siegert
Academic Computing Services                        phone: (604) 291-4691
Simon Fraser University                            fax:   (604) 291-4242
Burnaby, British Columbia                          email: siegert@sfu.ca
Canada  V5A 1S6
========================================================================