SimpleDesk Mod installation is failing

jetberrocal · May 10, 2010, 04:06:25 PM

Quote from: jetberrocal on May 10, 2010, 03:34:39 PM
What if I add the www-data user to the root group?

Then I put back the folders/files to chown root:root

This way all the Apache instances will have write access to the folders/files
(The root Instance and the www-data instances)

I tried this with chmod 0775 on all folders/files but system says the folders are not writable.

Like the user www-data is not recognized as part of the root group

Gruffen · May 10, 2010, 04:22:13 PM

I don't get why you have things running as root.

Here's why: if the web files are owned by root, the webserver pretty much as to run as root. Now let's say Apache has a vulnerability - it does happen. Now your ENTIRE SERVER can be compromised.

jetberrocal · May 10, 2010, 06:29:34 PM

Quote from: Arantor on May 10, 2010, 04:22:13 PM
I don't get why you have things running as root.

Here's why: if the web files are owned by root, the webserver pretty much as to run as root. Now let's say Apache has a vulnerability - it does happen. Now your ENTIRE SERVER can be compromised.

Apache server starts at boot one instance that opens and binds the port 80 which is a root port, then answers requests opening instances under www-data. I think this is the default behavior. That is why the ps -ef output shows Apache2 running under root and the others running under www-data.

I do not know how to make it start all instances under www-data, binding Apache to port 80 at boot.

How do you do it?

Gruffen · May 10, 2010, 06:38:20 PM

That's how I have it; root is required to open port 80. What was concerning me is that if the files Apache is accessing are owned by root, all the *children* normally have to be root too, not www-data, which suggested to me the forking and reassigning of user id weren't happening.

jetberrocal · May 10, 2010, 06:54:01 PM

Quote from: Arantor on May 10, 2010, 06:38:20 PM
That's how I have it; root is required to open port 80. What was concerning me is that if the files Apache is accessing are owned by root, all the *children* normally have to be root too, not www-data, which suggested to me the forking and reassigning of user id weren't happening.

On the internet, I saw there is a umask, setgid and setid configurations besides the chmod and chown basic stuff.
What is your forum folders/files setting, so I can make mine the same.

I know that setgid and setid can be set with chmod, but I do not know how to set the umask.

jetberrocal · May 10, 2010, 08:25:02 PM

Eureka!!!

Found at least one security scheme that works.

Change the ownership of everything under /user/share/joomla15/forum to www-data:root :
chown -R www-data:root /user/share/joomla15/forum ## -R = recursive
Change the permissions of all the folders to 2775:
chmod 2775 /user/share/joomla15/forum -R ## 2=set group id, Note that the forum root folder chmod is 775 not 755
OR
find /usr/share/joomla15/forum -type d -exec chmod 2755 {} \; ## Selective to only the folders, Note that subfolder are 755
Change all the files to 0664:
find /usr/share/joomla15/forum -type f -exec chmod 0664 {} \; ## Selective to only the files
Change the umask for your users to 0002:
The umask controls the default file creation permissions, 0002 means files will have 664 and directories 775. Setting this (by editing the umask line at the bottom of /etc/profile in my case) means files created by www-data will be writable by other users in the root-group without needing to chmod them. Usually the system default is 0022.
Reboot the system to make the umask setting to take effect, if changed.

Now install the mod as usual, and activate (Core Features should add the SD (SimpleDesk) Icon/Settings)

Thank you (Arantor) for your Help,

Jose

News:

SimpleDesk Mod installation is failing

jetberrocal

Gruffen

jetberrocal

Gruffen

jetberrocal

jetberrocal