I configured a webDAV to be able to upload files onto server. All is well, but what exactly does the DavLockDB do?
Apache stores locking information when calling LOCK, and UNLOCK in the file specified in this configuration setting.
Related
I have a Apache module that acts as a security filter that allows requests to pass or not. This is a custom made module, I don't want to use any existent module.
I have actually two questions:
The module has its own log file. I'm thinking that the best location should be in /var/log/apache2/ but since the Apache process runs on www-data user, it cannot create files on that path. I want to find a solution for the log file in such way that is not much intrusive (in terms of security) for a typical web server. Where would be the best place and what kind of security attributes should be set?
The module communicates with another process using pipes. I would like to spawn this process from Apache module only when I need it. Where should I locate this binary and how should I set the privileges as less intrusive as possible?
Thanks,
Cezane.
Apache starts under the superuser first and performs the module initialization (calling the module_struct::register_hooks function). There you can create the log files and either chown them to www-data or keep the file descriptor open in order to later use it from the forked and setuided worker processes.
(And if you need an alternative, I think it's also possible to log with syslog and configure it to route your log messages to your log file).
Under the worker process you are already running as the www-data user so there isn't much you can do to further secure the execution. For example, AFAIK, you can't setuid to yet another user or chroot to protect the filesystem.
What you can do to improve the security is to use a system firewall. For example, under AppArmor you could tell the operating system what binaries your Apache module can execute, stopping it from executing any unwanted binaries. And you can limit that binary's filesystem access, preventing it from accessing www-data files that doesn't belong to it.
I have a requirement like this. Log files has to be created in TFTP server in Ubuntu. I am using this TFTP version (tftp-hpa 0.49).
The only problem here is, the log file which i am dumping into the TFTP server has to be present already. If the file is not present already, i am unable to create the log file. My requirement is to create log files dynamically in TFTP server.
Please let me know, is there any way to achieve my requirement.
edit
/etc/default/tftpd-hpa
adding the option --create to the variable TFTP_OPTIONS=
--create:
Allow new files to be created. By default, tftpd will only allow upload of files that
already exist. Files are created with default permissions allowing anyone to read or write
them, unless the --permissive or --umask options are specified.
The title doesn't really sum it all up...
I have recently installed ModX Revolution 2.2.4 on an Apache server and I am having complications with the cache folder. Occasionally I have to manually clear the cache folder via ftp, but any files written there are owned by Apache and my account can't delete them. I have tried adding the "new_file_permissions" and "new_folder_permissions" to the system settings, but there is no change. The cache files are always owned by Apache and I have no access via ftp.
Also, files such as the .htaccess and really anything I upload (css etc) are seen as uneditable to modx unless I manually change them to 777 via ftp. I can't change owner and group though.
The server tech can't figure it out. This has come up before on the modx forums but it has never been answered.
Obviously, this is a server problem.
I had this problem (with an IIS server though), and the host needed to change some of their settings.
Especially, if MODX works on your different host(s).
That is the way it is supposed to work, your FTP account does not have permission to write files written by apache, your ftp may be a member of the group but does not have write permission. [needed to delete]. I suspect this is by design for security purposes.
Your new_file_permissions, new_folder_permissions are used for the modx file manager.
So you can do a couple of things:
Run modx under fastcgi, that way the user writing the files should be the same user as the ftp user.
OR
write a little script [you can even stuff it in a snippet] that will delete the cache files for you. [since it will be running as the apache user, it should be no problem.
(LAMP server configuration)
As a workaround for another problem, I need PHP to be able to access local files, but prevent these files from being served over http by Apache.
Normally, I would just use .htaccess to accomplish this, however due to institutional restrictions, I cannot. I also can't touch php.ini, although I can use php_ini_set within php.
As a creative solution, I thought that if php executes as its own linux user (not as apache) I could use normal chown's and chmod's to accomplish this.
Again, the goal is simply to have a directory of files that apache will not display, but php can access.
I'm open to any suggestions.
Put the files outside of your web accessible root (DocumentRoot), but keep them accessible via PHP.
Suggestion:
/sites
/sites/my.site.com
/sites/my.site.com/data // <-- data goes here
/sites/my.site.com/web // <-- web root is here
Here's a thought. Set the permissions on the files to be inaccessible to even the owner, then when PHP needs them, chmod() then, read them, then chmod() them back to inaccessible.
If I allow user to upload file, after user uploaded the file, the file will go to
wwww.someplace.com/public_file/... ....
So, everybody can get access the file. But I would like to make some restrictions on that. For example, I want to reduce the downloading speed for non-login users. How can I do that? Also, if I want to limit the user to get the files if he/she don't have a user right... ... For example, if some user upload to
wwww.someplace.com/secret_place/... ...
Only the user have some rights, can get access to this place... ...How can I do that? Should I do this in the web application and the Apache Server config too? Thank you.
For users you can split this between Apache and your application as I know most servers support using a database for authentication; Apache certainly supports many methods of authentication, you should find some useful info here:
http://httpd.apache.org/docs/current/howto/auth.html
One thing to note is that if you were to do this exclusively in the application then it would be easily by-passable. You can restrict the download speeds for non-logged in users using traffic shaping.
let’s consider that we want to deny access to all files with the extension .inc. In order to achieve this we will add the following configuration lines in the appropriate context (either global config, or vhost/directory, or from .htaccess):
Order allow,deny
Deny from all
Similar to this we can deny access to whatever files we might need…