Re: Unix Webcat Permission - Suggestions

This WebDNA talk-list message is from

2000

It keeps the original formatting. numero = 29412
interpreted = N
texte = note to John and Clem (and others who have been following this thread)I just received a reply to my detailed post from Le Pham - SM's apparent best unixengineer (she's not in tech support). She took a look at my permissions (what I posteda few posts ago) and said I had a couple security issues but did not see anything thatcould lead to the dupe-db problem. Regarding that she just said that she has beenunable to duplicate the issue on her machine and for me to give a detailed report toher when/if it ever happens again.email me direct if you want a copy of her reply to me.-Johnjpeacock@univpress.com wrote:> The nobody user and nobody group are special in that they have no rights to> login, or to files other than their own. You can actually call them anything> you want to; some Unix's use UID 99, some use UID 2**16 - 2 (65534). Some use> nogroup instead of nobody so YMMV. I suppose the nobody group could have> been named web or the admin could have created a group called web that> nobody and all web developers belong to.>> The SUID script is very easy to write, since it is literally the two lines I> wrote below in a file owned by root marked as world-executable and SUID. I want> to write a more userful Perl program to provide a way to upload files into a> staging area and then move them into the executable location with the correct> rights. The problem is that some versions of Unix have broken SUID support and> you need to do something special when you build Perl to emulate this. It is> also possible that a WebCat template could be written to manage this as well.>> What I was writing was how to set up WebCat under Unix in the most secure way> possible, assuming that the machine had other users who could access it. If you> are the only user (apart from the Sys Admin), that has access to that area, you> can get away with more lenient security. I believe from my own testing,> however, that the only way to be sure that WebCat has the proper rights to alter> a database file is to make sure that the file is owned by the nobody user. If> your database files are all read only, which mine are, you can get away with> making the files readable by nobody and everything will work.>> John Peacock>> ____________________Reply Separator____________________> Subject: Re: Unix Webcat Permission - Suggestions> Author: (WebCatalog Talk)> Date: 3/20/00 10:23 PM>> Thanks for spending the time to write the below John.>> sorry for asking more newbie Q's but I am in a peculiar situation in that I am> not sys> admin, do not have root (I rely on ftp), know extremely little about unix,> and my> sys admin is so busy I rarely get his attention but he relies on me to tell him> how> webcat is supposed to be set up (since I am the only one doing serious webcat> development on that Linux box).>> So you are saying below that not only the user but also the group should be set> to> nobody? All I am wanting to be sure of is that webcat works and there is no> chance> of webcat starting too many processes (sp?) (Sam Polk says if it gets over 3> then there> is trouble) and getting multiple copies of the same db into its cache. So if> you are> saying the group also has to be nobody then that eliminates the ability of ftp> right? (I don't yet know my chances of getting such a SUID script.) Do you> think> that if I make the owner of the databases that webcat edits nobody while> leaving the> group set to web then I still run risk of the multiple copies of same db in> cache> problem? Also I ask the same question with regard to the templates themselves -> can I> leave the group as web and avoid the dupe db problem? If so, then what other> issues> might still lurk that caused you to give your advice the way you did (below)?>> Thanks for your time>> -John>> jpeacock@univpress.com wrote:>> > Caveats: I do not work for SmithMicro and have picked up all of my Unix admin> > skills from reading man pages and O'Reilly books (the traditional method). I> am> > running Unix Apache Module version 3.06f (since I like to perform my own> > installs, thanks). I tested this all with a clean install.> >> > Several users have asked for advice on permission settings and security. My> > best advice is to make _all_ files owned by nobody, and _all_ directories> > containing those files owned by nobody. This includes all webcatalog> > files/directories as well as user templates and databases. This is the> normal> > operating methodology for Unix daemons. You also should not give any rights> to> > any other user. In other words:> >> > chown -R nobody:nobody * #recursively set owner> > chmod -R go= * #set user/group rights to none> >> > This is not a security concern once you realize that the nobody user has no> > rights to directly log in. Unix security hacks that prey on the nobody user> > rely on tricking the O/S into upgrading nobody to root, or get some process> > running as root to run bad code.> >> > If you need to be FTP'ing files up to the server, work with your Unix> > administrator to create a SUID script that copies the files into the correct> > location and sets their owner and rights to the above. If you follow the> above> > suggestions, an ordinary user cannot even list the files in your WebCat> > directories, let alone read them. The WebCat process will serve them up fine.> > Ordinary users should never have direct access to WebCatalog served files> > (IMHO). Once a fully multiuser WebCat daemon comes out (4.2?) that will> change,> > but until then, anyone hosting WebCat will need to change rights/owners for> all> > files.> >> > I am thinking in the back of my head about a small WebCat application which> > would facilitate managing multiple users/sites. Think about an admin database> > with username, pathname source, and destination. One button update would copy> > the source files to the destination, with the correct rights. I could even> see> > a trigger to automate it (though I do not trust outside developers enough to> > copy their templates onto my server without looking at them). Users would> only> > need ordinary rights to their parallel directory structure and WebCat would> only> > run the versions in the official directories.> >> > HTH> >> > John Peacock> >> > -------------------------------------------------------------> > This message is sent to you because you are subscribed to> > the mailing list .> > To unsubscribe, E-mail to: > > To switch to the DIGEST mode, E-mail to> >> -------------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to -------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Associated Messages, from the most recent to the oldest:

Re: Unix Webcat Permission - Suggestions (John Butler 2000)
Re[2]: Unix Webcat Permission - Suggestions (jpeacock@univpress.com 2000)
Re: Unix Webcat Permission - Suggestions (John Butler 2000)
Re: Unix Webcat Permission - Suggestions (jpeacock@univpress.com 2000)
Unix Webcat Permission - Suggestions (jpeacock@univpress.com 2000)

note to John and Clem (and others who have been following this thread)I just received a reply to my detailed post from Le Pham - SM's apparent best unixengineer (she's not in tech support). She took a look at my permissions (what I posteda few posts ago) and said I had a couple security issues but did not see anything thatcould lead to the dupe-db problem. Regarding that she just said that she has beenunable to duplicate the issue on her machine and for me to give a detailed report toher when/if it ever happens again.email me direct if you want a copy of her reply to me.-Johnjpeacock@univpress.com wrote:> The nobody user and nobody group are special in that they have no rights to> login, or to files other than their own. You can actually call them anything> you want to; some Unix's use UID 99, some use UID 2**16 - 2 (65534). Some use> nogroup instead of nobody so YMMV. I suppose the nobody group could have> been named web or the admin could have created a group called web that> nobody and all web developers belong to.>> The SUID script is very easy to write, since it is literally the two lines I> wrote below in a file owned by root marked as world-executable and SUID. I want> to write a more userful Perl program to provide a way to upload files into a> staging area and then move them into the executable location with the correct> rights. The problem is that some versions of Unix have broken SUID support and> you need to do something special when you build Perl to emulate this. It is> also possible that a WebCat template could be written to manage this as well.>> What I was writing was how to set up WebCat under Unix in the most secure way> possible, assuming that the machine had other users who could access it. If you> are the only user (apart from the Sys Admin), that has access to that area, you> can get away with more lenient security. I believe from my own testing,> however, that the only way to be sure that WebCat has the proper rights to alter> a database file is to make sure that the file is owned by the nobody user. If> your database files are all read only, which mine are, you can get away with> making the files readable by nobody and everything will work.>> John Peacock>> ____________________Reply Separator____________________> Subject: Re: Unix Webcat Permission - Suggestions> Author: (WebCatalog Talk)> Date: 3/20/00 10:23 PM>> Thanks for spending the time to write the below John.>> sorry for asking more newbie Q's but I am in a peculiar situation in that I am> not sys> admin, do not have root (I rely on ftp), know extremely little about unix,> and my> sys admin is so busy I rarely get his attention but he relies on me to tell him> how> webcat is supposed to be set up (since I am the only one doing serious webcat> development on that Linux box).>> So you are saying below that not only the user but also the group should be set> to> nobody? All I am wanting to be sure of is that webcat works and there is no> chance> of webcat starting too many processes (sp?) (Sam Polk says if it gets over 3> then there> is trouble) and getting multiple copies of the same db into its cache. So if> you are> saying the group also has to be nobody then that eliminates the ability of ftp> right? (I don't yet know my chances of getting such a SUID script.) Do you> think> that if I make the owner of the databases that webcat edits nobody while> leaving the> group set to web then I still run risk of the multiple copies of same db in> cache> problem? Also I ask the same question with regard to the templates themselves -> can I> leave the group as web and avoid the dupe db problem? If so, then what other> issues> might still lurk that caused you to give your advice the way you did (below)?>> Thanks for your time>> -John>> jpeacock@univpress.com wrote:>> > Caveats: I do not work for SmithMicro and have picked up all of my Unix admin> > skills from reading man pages and O'Reilly books (the traditional method). I> am> > running Unix Apache Module version 3.06f (since I like to perform my own> > installs, thanks). I tested this all with a clean install.> >> > Several users have asked for advice on permission settings and security. My> > best advice is to make _all_ files owned by nobody, and _all_ directories> > containing those files owned by nobody. This includes all webcatalog> > files/directories as well as user templates and databases. This is the> normal> > operating methodology for Unix daemons. You also should not give any rights> to> > any other user. In other words:> >> > chown -R nobody:nobody * #recursively set owner> > chmod -R go= * #set user/group rights to none> >> > This is not a security concern once you realize that the nobody user has no> > rights to directly log in. Unix security hacks that prey on the nobody user> > rely on tricking the O/S into upgrading nobody to root, or get some process> > running as root to run bad code.> >> > If you need to be FTP'ing files up to the server, work with your Unix> > administrator to create a SUID script that copies the files into the correct> > location and sets their owner and rights to the above. If you follow the> above> > suggestions, an ordinary user cannot even list the files in your WebCat> > directories, let alone read them. The WebCat process will serve them up fine.> > Ordinary users should never have direct access to WebCatalog served files> > (IMHO). Once a fully multiuser WebCat daemon comes out (4.2?) that will> change,> > but until then, anyone hosting WebCat will need to change rights/owners for> all> > files.> >> > I am thinking in the back of my head about a small WebCat application which> > would facilitate managing multiple users/sites. Think about an admin database> > with username, pathname source, and destination. One button update would copy> > the source files to the destination, with the correct rights. I could even> see> > a trigger to automate it (though I do not trust outside developers enough to> > copy their templates onto my server without looking at them). Users would> only> > need ordinary rights to their parallel directory structure and WebCat would> only> > run the versions in the official directories.> >> > HTH> >> > John Peacock> >> > -------------------------------------------------------------> > This message is sent to you because you are subscribed to> > the mailing list .> > To unsubscribe, E-mail to: > > To switch to the DIGEST mode, E-mail to> >> -------------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to -------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to John Butler

DOWNLOAD WEBDNA NOW!

Re: Unix Webcat Permission - Suggestions

2000

Top Articles:

Related Readings: