[LON-CAPA-dev] www owned files

Martin Siegert lon-capa-dev@mail.lon-capa.org
Mon, 7 Oct 2002 18:39:48 -0700 

Hi Scott,

I guess I am argueing with the wrong person ..., but anyway:

If they want to freely alter everything, that still may be ok, if they
had chosen an account other than www. This used to be the "nobody" account
because nobody was supposed to use it other than the web server.
Thus, why not create a "loncapa" account and chown everything to loncapa?
That would keep me happy ... and would be way more secure.
Choosing www is just the worst of all choices ... and a recipe for
desaster.

Cheers,
Martin

On Sun, Oct 06, 2002 at 01:09:15PM -0400, Scott Harrison wrote:
> Hi Martin:
> 
> You are right.
> 
> Historically though...
> if you look inside doc/loncapafiles/loncapafiles.lpml, you will
> see two sets of file ownership/permissions: development and runtime.
> 
> "runtime" obeys in spirit what you are suggesting.
> 
> "development" was implemented for developers (other than myself) who wanted to
> freely alter everything on the system as "www".  (I disagree
> with this style of development; it is a lazy solution.)
> 
> I will try and move the default tarball-based installation to
> the runtime mode this week.  Which should be easy... if you look inside
> the Makefile you will see the "CATEGORY" option which is currently
> set to "development".
> 
> Regards,
> Scott
> 
> > Hi,
> > 
> > I just ran 
> > 
> > # find . -user www -print | grep -v '/proc' > /tmp/www-owned
> > 
> > on our lon-capa library server and ended up with a huge list of files.
> > This actually worries me: www is the username under which the web server
> > runs (RH7.3) - it shouldn't own anything (or close to nothing), because in
> > case of a compromise of the web server (see apache/mod_ssl worm) 
> > the attacker has access to the www owned files. If there aren't any,
> > the attacker can't do much.
> > 
> > Under lon-capa www owns files under the following directory trees:
> > 
> > /var/lib/texmf/pk
> > this ought to be ok: these are fonts created by makefont on the fly.
> > 
> > /home/www
> > this is what www must own.
> > 
> > /home/httpd/cgi-bin
> > this scares me. These files should not be owned by www. They only have to
> > be readable by www. I am very tempted to run 
> > # chown -R root:root /home/httpd/cgi-bin
> > Would this break anything?
> > 
> > /home/httpd/html (particularly the adm, res directories)
> > same thing as cgi-bin. scary. solution: chown to root. objections?
> > the res directory probably should be owned by some group that creates
> > resources, i.e., neither root nor www.
> > 
> > /home/httpd/html/lon-status
> > probably must be owned by www. It writes into this tree.
> > 
> > /home/httpd/lib
> > should be owned by root.
> > 
> > /home/httpd/lonIDs
> > probably must be owned by www. correct?
> > 
> > /home/httpd/lonUsers
> > seems to be the heart of lon-capa. must be owned by www. correct?
> > 
> > /home/httpd/perl, /home/httpd/perl/{lonc,lond,lonsql,searchcat.pl,cleanup_database.pl}
> > why are these owned by www?
> > 
> > /home/httpd/perl/{logs,tmp}
> > both probably must be owned by www
> > 
> > /home/httpd/{sockets,prtspool}
> > these probably need to be owned by www.
> > 
> > /home/<username>/public_html
> > why are these owned by www? They shouldn't, correct?
> > 
> > Cheers,
> > Martin
> > 
> > ========================================================================
> > Martin Siegert
> > Academic Computing Services                        phone: (604) 291-4691
> > Simon Fraser University                            fax:   (604) 291-4242
> > Burnaby, British Columbia                          email: siegert@sfu.ca
> > Canada  V5A 1S6
> > ========================================================================
> > _______________________________________________
> > LON-CAPA-dev mailing list
> > LON-CAPA-dev@mail.lon-capa.org
> > http://mail.lon-capa.org/mailman/listinfo/lon-capa-dev
> > ------( NOTE )------------->
> > This E-mail was scanned for viruses by Ramcell Online (http://www.ramcell.net/antivirus.asp)
> > 
> 
> -- 
> Scott Harrison, sharrison@users.sourceforge.net
> _______________________________________________
> LON-CAPA-dev mailing list
> LON-CAPA-dev@mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-dev