I have implemented a restful API where i receive a website and return path to screenshots
I am using PhantomJS v 2.0.0 development to make the screenshots. I am making a console command that is executed with a secured, system()-like function. I use SU to log as a user 'phantomjs', which is restricted to use only specified commands, and then call my phantomjs script to render webpages as jpegs. The files outputted are owned by 'phantomjs' and have permissions set to 644. We have added the user 'phantomjs' to group www-data.
We are putting lots of webshots in a directory, and separate them alphabetically in sub-directories.So far so good. Our work scenario requires that we occasionally delete webshots.
So i implemented a restful delete-api which clients can use to delete their webshots. The real problem emerges from the fact that the files are owned by 'phantomjs' and with permissions set to 644, we can't delete the files through www-data. Since 'phantomjs' is in the same group with www-data, we need the permissions to be set to 664 in order to be able to unlink() those.
We wouldn't like to allow the user 'phantomjs' to use chmod or rm, because this would go against our design idea to restrict the user maximally, since this user runs shell commands.
We don't like the solution to run a cronjob that changes file permissions, because the server is pretty busy, and this solution is very undesirable and should be our last resort/
We tried using ACL making every file in webshots/ dir to have default permissions of 664, but this didn't work with our NFS as expected. Upgrading the NFS is not an option for me right now.
We tried umask 002, but this worked only with files created through the shell, so it couldn't help us either.
I've noticed that if i save an empty file through sublime-text , file permissions are 664.
If i save a screenshot with phantomjs, f.p. are 644.
My questions are:
-What governs default file permissions, the running process itself or some user preferences from which you run the application?
-Can you give me any more ideas how to delete webshots securely or make 'phantomjs' owned files have perms 664 without giving the user too much 'dangerous' permissions.
Any help would be highly appreciated.
Thank you.
Related
Question is about configuration of RHEL Operating System, or adding a custom script, I suppose.
I want to allow user1 to launch my program that reads a settings file owned by another user.
The final scope is:
to avoid user1 to be able to read the settings file.
to allow user1 to launch my program executable.
I supposed that my program and my settings file could be owned by root, giving user1 the right to execute the program. But If I do this, will the program be able to read settings file owned by root?
Is it there a solution to this problem, without customization of my program executable?
Edit:
The scope is to protect settings file content, but allow the user to use the application. Another way to solve the same problem with different question is:
Suppose that I give root privileges to exe and settings file, and then start the exe automatically during boot. User 1 will not be able to read settings file (this is what I want). Suppose that the exe is a terminal application that prints standard output and expects commands as standard input. Is it there a way, for user1, to read standard output and write standard input to the exe previously launched by root?
An attempt of an answer. Imagine /home/user/program is the program that should be run by user1, and /home/user/private-config-file the file that the program should be able to read (on behalf of user1) but not directly readable by user1.
In these configuration, I think the following should work:
create a custom group private-group (as root):
~ addgroup private-group
make the configuration file belong to private-group and group-readable (probably as root, unless your normal user is set to belong to the group too):
~ chown :private-group /home/user/private-config-file
~ chmod g+r /home/user/private-config-file
make the executable belong to the group and setgid (probably by root as well):
~ chown :private-group /home/user/program
~ chmod g+s /home/user/program
The program should not be in a scripted language, since setuid/setgid do not work in this case.
Using this, the program, when running, will have an effective group ID private-group, which should be enough to let it read the configuration file.
As far as I know, this should get you going, but you need to keep in mind that:
if there is any way for user1 to use the program to read arbitrary files, then your configuration file could be opened;
the program might re-write its configuration file, including the private bits, in a specific location, in a way that would be readable by user1;
any user that can execute /home/user/program will be able to use the configuration file (even if not read it).
IMPORTANT setuid/setgid processes are much harder to write and use in a secure way than you would believe...
I should again emphasize that if you have significant security implications of leaking the contents of the configuration file, you really should think and tread very carefully.
I am setting up a multimedia server on Debian 8.
I installed both Plex and Owncloud. I have set up /var/media as my Owncloud default folder. I decided to create a folder Library at the root of Owncloud. So the folder path is:
/var/media/admin/files/Library
I changed the permissions of media with:
chmod 770 -R /var/media
On top of that, all the files in /var/media are owned by www-data:www-data.
In order to make Plex see my medias, I have added the user plex to the group www-data. I would like to create a library watching my /var/media/admin/files/Library folder but I have a problem, Plex doesn't see neither the files or folders in /var/media. Here is a screenshot:
To finish, I have tried to connect on my server via ssh with the plex user, and it sees files and folders inside /var/media.
What am I doing wrong? Maybe it is not a permission issue?
Thanks
Update
If I change the ownership of /var/media to plex:www-data, it works. But I can't understand why it doesn't work for www-data:www-data. So it is well a permissions issue.
If I launch id plex, I have:
uid=107(plex) gid=33(www-data) groups=33(www-data)
Just to remind, here are the permissions of /var/media folder (full permissions for group...):
drwxrwx--- 4 www-data www-data 4096 Oct 30 09:01 media
I assume from your post that Plex, Linux OS, and your media are all contained on the same machine and that there are no separate computing devices being used here as that would mean additional steps are required.
In all likelyhood, plex won't be able to list your files because the mode 777 is required to list files in a directory even if the files themselves are set more restrictively than 777 e.g. 750. From what I can tell, your chmod command has set all the directory permissions to 770 which would break the listing capability. As it happens I've just yesterday written a guide over on Tech-KnowHow that covers this, and within that I have described how to set all your folders to 777 and your files to something else. That way it works with plex (and other systems for that matter). I've essentially chosen the same solutions as you in that I use the group to assign the permissions and make sure the everyone / other mode is set to apply no permissions.
There's a direct link to the article below, you'll need to click on the implementation page and look for the find command under the 'Apply correct modes' heading. I've also included how to keep your ownership consistent through samba which is useful when copying new files across. Let me know how that goes in the comments and I'll help you out where I can while it's still fresh in my mind. Good luck!
https://www.tech-knowhow.com/2016/03/how-to-plex-permissions-linux/
I know it is an old post, but I had the same issue and this was my solution :
After a
sudo service plexmediaserver status
I found the file used to launch the plex service /lib/systemd/system/plexmediaserver.service. This file contains the user and group which are used by plex.
So we can change the line Group=plex by your group.
PS: do not forget to restart the plex service with
sudo service plexmediaserver restart
I've just installed Concrete 5 CMS by following the instructions on the website.
The folders application/files/, application/config/, packages/ and
updates/ will need to be writable by the web server process. This can
mean that the folders will need to be "world writable", depending on
your hosting environment. If your server supports running as
suexec/phpsuexec, the files should be owned by your user account, and
set as 755 on all of them. That means that your web server process can
do anything it likes to them, but nothing else can (although everyone
can view them, which is expected.) If this isn't possible, another
good option is to set the apache user (either "apache" or "nobody") as
having full rights to these file. If neither are possible, chmod 777
to files/ and all items within (e.g. chmod -R 777 file/*)
The packages folder has permission 777 and root/tmp folder has permission 755.
I've uploaded a new theme to /packages over FTP. When I try to install the new theme I see the following error:
An unexpected error occurred. fopen(/root/tmp/1419851019.zip) [function.fopen]: failed to open stream:
Permission denied
I have FTP access to the server and access to CPanel. How do I get this working without granting too many permissions which pose a security risk?
My install has the folders application/files, application/config, packages, and updates all set to 755 and it's working just fine.
You get that error because the system is trying to write to /root/tmp, which apparently is the environment configuration for a temp folder when your PHP request is handled.
Try adding the folder application/files/tmp in your file system (within your concrete5 installation). And then make sure that the user can write to that folder that is running PHP in your environment. As explained in the concrete5's own documentation (that you linked originally), it depends on your server which user this is.
Usually in shared hosting environments it's the same as the account you use to login there through SSH or FTP. In these cases, the 755 permissions should be enough if your own user owns the tmp folder you just created.
I have not used phing before, but would like to use it to automate my deployment process. Currently I log in under myuser, Apache runs under www-data. All my application code is owned by myuser, but other (cache) files are generated by www-data.
I currently solve this by using sudo to remove these files. I would like to keep the application code owned by myuser, because it's easier to access the files via ssh. I wouldn't like phing to run with super powers, because at this moment I don't trust this automated tool yet.
What is the best practice to use phing with limited file permissions?
I had the same issue. Apache is running as www-data.www.data and files created by the webserver are 644 and directories 755.
I solved it by:
adding the user running phing to the www-data group
adding umask 002 to the /etc/apache2/envvar file, see link
Phing is now able to remove the directories and files created by the apache
As I understand it the problem is that phing can't do anything with the cache files since they were created by your Apache user (www-data) and you are running phing as myuser. It sounds to me like you just need to change the permissions on the cache files so that myuser has full permissions. How to do this will depend on how your application is written, but something along the lines of chmod/chowning'ing the files after creation or creating them with a umask allowing myuser permissions.
I'm running apache and my php site uploads images to the server. should apache upload dir have 777 permissions or belong to www-data user? How would this affect backing things up?
I think read + write permission is enough. read for backup, write for upload. It seems that no one ever need to execute anything.
And you should only grant permissions to who really need them. For example, grant write permission to www-data. And if you use another-user to do back up, only grant read permission to another-user.
You'd better avoid using 777
That depends on what you need from it. You should always use the most restrictive permissions that will let you do what you need.
Read the man page for chmod(1) to learn what the various permission bits mean. And maybe provide some more detail about your situation, so someone can provide a specific answer for you.
First and foremost the apache server needs to run as a non-privileged user. Second the upload directory should only need 600 as the permission (rw) iirc. This will allow the user that is running apache to write to that directory. The practical attack against a web server is to trick it into writing to a directory and having it execute the code that is placed there.