Monthly Archives: July 2010

File System Permissions for Apache

Posted on by

I don’t spend a lot of time on The Apache HTTP Server Users mailing list, but a discussion sprang up there this week on which I think I should share my response. The issue was why the server in question did not have permission to show a particular file. The initial response was “just chown your document root to the Apache user” and, when pointed out that this introduced security issues, 

Oh man an experienced sys admin told me to do it that way.
Please tell me what is wrong in this and where is this documented on Apache 
docs.
I want to read.

Here is my response reproduced: read on.

The Apache HTTP Server needs read access to its configuration files and the files it serves. In and of itself, the server does not need write access anywhere on the system: even its log files are opened for write when the server is still root, and the open file descriptors passed to the child processes which change their user id to the lesser privileged user.

Read access only. The web server user should not own, or be able to write to, its configuration files or content.

Content, other than CGI scripts, generally does not need Execute permissions. Even PHP files that are interpreted by the server do not need to be Executable.

Certain applications, especially publishing platforms and Content Management Systems that you manage and populate through the web server itself using a browser, require that certain directories on the system be made writable by the web server user. You can do this by changing the owner of the directory to that user (usually www but ymmv), or by making the directory group-writable and changing the group to the group as which Apache runs.

Making directories writable by the web server should be done only with care and consideration. The usual threat model is that someone manages to upload (for instance) a PHP script of their own making into the document root, and simply executes that by accessing it through a browser. Now someone is executing code on your machine. Google for ‘r57’ for an example of what such code can do.

If a web app needs writable directories, it’s often better to have those outside the DocumentRoot: that way the uploads can’t be accessed from the outside through a direct URL. Some applications (WordPress for instance) support this, others do not.

In many cases, writable directories are not strictly necessary even though the web app might like them: rather than upload plugins (which contain code that gets executed or interpreted, yech!) through the web browser, upload them through ssh and manually unpack them on the server. The CMS Joomla! likes to write its configuration file to the Document Root on initial install (which promptly becomes a popular attack target) but if it can’t write to the Document Root, it will output the config to the browser to the user can manually upload it.

The Apache Documentation will merely tell you to make the server installation root-owned. The HTTP Server Documentation does not cover third party applications like WordPress or Joomla!, so it will not discuss their need to have some directories writable. I hope the above makes the picture a little more complete.

Water Cooler Effect

Posted on by

Mark Suster writes The Power of “In Person” — Why Distributed Teams are Less Effective about the importance of in-person communications in an early-stage Startup. I have worked in an office, then been a remote employee (an effective one, I like to think) of two post-scaling companies. I fully agree with Mark’s arguments: the dynamics of in-person communications are hugely important, especially at an early stage when you are defining what your company is actually doing.

The comments Mark attracks also rock: one commenteer states “It’s too hard to move the needle, or even be poked by the needle, if you aren’t in the room.” Well said.

Intel Founder on Job Creation in the US

Posted on by

Insightful cover story by Intel founder Andy Grove in Business week: How America can Create Jobs. America needs Industry jobs: I agree with Grove’s statement that letting go of technologies to be manufactured elsewhere puts the country in a knowledge hole. We can’t all be knowledge workers, and not all people in the country (any country, not limited to the USA) do will be designing the next great technology only to then hand it off to other geographic regions to be manufactured. Especially seen in the light of something like this TechCrunch post: if the US doesn’t make the product, there will be less of a need to develop it there. One can go elsewhere with lower taxes, better healthcare and fine education.

Grove’s solution, a tax on products created with foreign labor, should raise some hackles. Taxes are bad, right? However, if not for government intervention, I don’t think anything can change. Corporations can’t be expected to change their ways for the greater good: their job is to do business and maximize profits. Only the government can steer their behavior by turning the greater good into a business decision. And, unfortunately, taxes are the main instrument at their disposal to do so.