[LON-CAPA-dev] www owned files

Scott Harrison lon-capa-dev@mail.lon-capa.org
Sun, 6 Oct 2002 13:09:15 -0400

Hi Martin:

You are right.

Historically though...
if you look inside doc/loncapafiles/loncapafiles.lpml, you will
see two sets of file ownership/permissions: development and runtime.

"runtime" obeys in spirit what you are suggesting.

"development" was implemented for developers (other than myself) who wanted to
freely alter everything on the system as "www".  (I disagree
with this style of development; it is a lazy solution.)

I will try and move the default tarball-based installation to
the runtime mode this week.  Which should be easy... if you look inside
the Makefile you will see the "CATEGORY" option which is currently
set to "development".


> Hi,
> I just ran 
> # find . -user www -print | grep -v '/proc' > /tmp/www-owned
> on our lon-capa library server and ended up with a huge list of files.
> This actually worries me: www is the username under which the web server
> runs (RH7.3) - it shouldn't own anything (or close to nothing), because in
> case of a compromise of the web server (see apache/mod_ssl worm) 
> the attacker has access to the www owned files. If there aren't any,
> the attacker can't do much.
> Under lon-capa www owns files under the following directory trees:
> /var/lib/texmf/pk
> this ought to be ok: these are fonts created by makefont on the fly.
> /home/www
> this is what www must own.
> /home/httpd/cgi-bin
> this scares me. These files should not be owned by www. They only have to
> be readable by www. I am very tempted to run 
> # chown -R root:root /home/httpd/cgi-bin
> Would this break anything?
> /home/httpd/html (particularly the adm, res directories)
> same thing as cgi-bin. scary. solution: chown to root. objections?
> the res directory probably should be owned by some group that creates
> resources, i.e., neither root nor www.
> /home/httpd/html/lon-status
> probably must be owned by www. It writes into this tree.
> /home/httpd/lib
> should be owned by root.
> /home/httpd/lonIDs
> probably must be owned by www. correct?
> /home/httpd/lonUsers
> seems to be the heart of lon-capa. must be owned by www. correct?
> /home/httpd/perl, /home/httpd/perl/{lonc,lond,lonsql,searchcat.pl,cleanup_database.pl}
> why are these owned by www?
> /home/httpd/perl/{logs,tmp}
> both probably must be owned by www
> /home/httpd/{sockets,prtspool}
> these probably need to be owned by www.
> /home/<username>/public_html
> why are these owned by www? They shouldn't, correct?
> Cheers,
> Martin
> ========================================================================
> Martin Siegert
> Academic Computing Services                        phone: (604) 291-4691
> Simon Fraser University                            fax:   (604) 291-4242
> Burnaby, British Columbia                          email: siegert@sfu.ca
> Canada  V5A 1S6
> ========================================================================
> _______________________________________________
> LON-CAPA-dev mailing list
> LON-CAPA-dev@mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-dev
> ------( NOTE )------------->
> This E-mail was scanned for viruses by Ramcell Online (http://www.ramcell.net/antivirus.asp)

Scott Harrison, sharrison@users.sourceforge.net