keeping legitimate users out of public_html

I help students manage a school intranet website on a machine running Red
Hat 2.4.18-14 and Apache 2.0.40.

How do I keep my student users with accounts on the machine from being
able to access, via Putty, /home/bobo/public_html, the directory in which
I keep all of the content for the site, including tests and quizzes for my
students' online use?

I can password protect, using .htaccess, specific directories from
"unauthorized" access, but I would like to provide similar protection for
the /home/bobo/public_html/Prog/tests directory. If I change permissions
via chmod, however, then Apache will not be able to serve the pages to the
intranet.

Bill Stanard
Academic Computing
Palmer Trinity School




-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: keeping legitimate users out of public_html

"William Stanard" writes:
> I can password protect, using .htaccess, specific directories from
>"unauthorized" access
I need to amend the above to read: ...protect, using .htaccess, specific
directories from "unauthorized" intranet (via http) access.

Apologies.

Bill Stanard




-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: keeping legitimate users out of public_html

At 08:15 AM 9/15/2004 -0400, William Stanard wrote:
>I help students manage a school intranet website on a machine running Red
>Hat 2.4.18-14 and Apache 2.0.40.
>
>How do I keep my student users with accounts on the machine from being
>able to access, via Putty, /home/bobo/public_html, the directory in which
>I keep all of the content for the site, including tests and quizzes for my
>students' online use?
>
> I can password protect, using .htaccess, specific directories from
>"unauthorized" access, but I would like to provide similar protection for
>the /home/bobo/public_html/Prog/tests directory. If I change permissions
>via chmod, however, then Apache will not be able to serve the pages to the
>intranet.

This is actually a tricky problem, taking you into one of the blurry areas
of Unix/Linux permissions. One way to solve it: first check what userid
apache is running under and what groups that userid is part of. Then make
the relevant files and directories mode 640 (or 750, depending on the
specifics ... possibly even 660 or 770 if you have cgi scripts that need to
write to files or create new files), associating them with a group that the
apache userid is in but the students are not in. That should do the job for
you.

Doing this may require you to change the userid that apache runs under. And
I am assuming in this (a) that you are "bobo"; (b) the students do not have
root access to the host. If assumption (b) is wrong, then there is no way
to accomplish what you want that I know of (since root access is, by
definition, never "unauthorized"). If assumption (a) is wrong, the general
idea I'm suggesting should still work, but you will have to adjust some
details, depending on what the userid "bobo" actually is.



-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: keeping legitimate users out of public_html

You can do this in one of two ways using SIMPLE unix file access:

One is to do what was listed below: Find the group of the apache
process, and permit the public_html directory to be read only
by the apache group.

chgrp httpd public_html
chmod 760 public_html

(you need to be root {or a member of group public_html) to do the chgrp
call (but not the chmod command).

if you want to prevent ONLY the students from accessing the public_html
directory, then you can create a group 'students', and add all of the
student accounts into the group students. Then change the public_html
directory to be group students, and mode 706 (readable by everybody
BUT group students).

To initially set the group of all the students, you can go:

for sid in `cat student_uid_list` ; do usermod -G students $sid ; done
chgrp students public_html
chmod 706 public_html

Your last choice would be to use ACL (access control lists).
about the only nice thinga about the acl method is that it
doesn't require you to bo root. The nasty thing is that acl's
aren't well integrated into the UNIX world, and I personally
dislike using them when I don't have to -- but they do work.

HOWEVER: you first have to mount the filesystem with ACL's avalable
change the mount options for /home (presuming that it is a separate
filesystem) or / to include 'acl'

On a live system, you can remount to include acl capaability:

mount -o remount,acl /home

You can then permit the directory none others, and
readonly to group apache:

setfacl -m sother::-,u:apache:r-x /tmp/xxx

the nice things about ACLs is that -- once you mount the filesyatem
with ACLs enabled, you don't have to be root to give specific groups
and/or users access.. however when you do an 'ls -l' it'll only hint
at the existence of ACL's by printing a '+' sfter the permissions section

-rw-r-x---+ 1 samuel samuel 0 Sep 20 06:30 public_html

You need to use getfacl to get the full permissions info.

If students are a member of a group, then you can permit
them no access in a similar way with ACLs ..

setfacl group:students:--- public_html


or you can explicitly permit specific students no access:

for name in `cat student_list` ; do setfacl user:$name:- public_html ; done


Ray Olszewski wrote:
> At 08:15 AM 9/15/2004 -0400, William Stanard wrote:
>
>> I help students manage a school intranet website on a machine running Red
>> Hat 2.4.18-14 and Apache 2.0.40.
>>
>> How do I keep my student users with accounts on the machine from being
>> able to access, via Putty, /home/bobo/public_html, the directory in which
>> I keep all of the content for the site, including tests and quizzes
>> for my
>> students' online use?
>>
>> I can password protect, using .htaccess, specific directories from
>> "unauthorized" access, but I would like to provide similar protection for
>> the /home/bobo/public_html/Prog/tests directory. If I change permissions
>> via chmod, however, then Apache will not be able to serve the pages to
>> the
>> intranet.
>
>
> This is actually a tricky problem, taking you into one of the blurry
> areas of Unix/Linux permissions. One way to solve it: first check what
> userid apache is running under and what groups that userid is part of.
> Then make the relevant files and directories mode 640 (or 750, depending
> on the specifics ... possibly even 660 or 770 if you have cgi scripts
> that need to write to files or create new files), associating them with
> a group that the apache userid is in but the students are not in. That
> should do the job for you.
>
> Doing this may require you to change the userid that apache runs under.
> And I am assuming in this (a) that you are "bobo"; (b) the students do
> not have root access to the host. If assumption (b) is wrong, then there
> is no way to accomplish what you want that I know of (since root access
> is, by definition, never "unauthorized"). If assumption (a) is wrong,
> the general idea I'm suggesting should still work, but you will have to
> adjust some details, depending on what the userid "bobo" actually is.

--
Stephen Samuel +1(604)876-0426 samuel@bcgreen.com
http://www.bcgreen.com/~samuel/
Powerful committed communication. Transformation touching
the jewel within each person and bringing it to light.

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: keeping legitimate users out of public_html

Ray Olszewski writes:
>At 08:15 AM 9/15/2004 -0400, William Stanard wrote:
>>I help students manage a school intranet website on a machine running Red
>>Hat 2.4.18-14 and Apache 2.0.40.
>>
>>How do I keep my student users with accounts on the machine from being
>>able to access, via Putty, /home/bobo/public_html, the directory in which
>>I keep all of the content for the site, including tests and quizzes for
>my
>>students' online use?
>>
>> I can password protect, using .htaccess, specific directories from
>>"unauthorized" access, but I would like to provide similar protection for
>>the /home/bobo/public_html/Prog/tests directory. If I change permissions
>>via chmod, however, then Apache will not be able to serve the pages to
>the
>>intranet.
>
>This is actually a tricky problem, taking you into one of the blurry
>areas
>of Unix/Linux permissions. One way to solve it: first check what userid
>apache is running under and what groups that userid is part of.
Thank you very much for the reply. I am using what you said and what
Stephen posted to solve the problem.... but, and this seems so simple, I
am embarrassed to ask, how do I determine what userid apache is running
under?

Bill Stanard




-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: keeping legitimate users out of public_html

At 12:49 PM 9/20/2004 -0400, William Stanard wrote:
>[...]
>Thank you very much for the reply. I am using what you said and what
>Stephen posted to solve the problem.... but, and this seems so simple, I
>am embarrassed to ask, how do I determine what userid apache is running
>under?

Questions are always simple to people who already know the answers. To
others, they are often hard. In your case, you can check this with the "ps"
command. If the app name is actually apache (it usually is these days,
though older versions sometimes ran under the name httpd), this will find it:

ps aux | grep apache

The userid will be the leftmost column.



-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs