permissions on home directories

putting this in feature requests because i think its going to end in one…

Can some one just clarify how permissions on home directories should be set and what groups/permissions are needed for PHP to be able to read/write files in the users home dir.

I currently have virtualmin set to add apache to the users group and a default permissions of 755 on the website sub directory. SuExec is enabled

I’ve tried tightening permissions on the web directory to 750, but i get an Apache error “You don’t have permission to access / on this server.”

My server uses PHP and Coldfusion, so i have an added problem, Coldfusion runs as "nobody" so in order for it to be able to read/write in the users home directory it also needs permissions… i guess to add "nobody" to the users group might work?

I’m really not good with permissions, but ideally what i want to achieve is a secure setup where users cannot peek into each others files.

Hey Chris,

This has been corrected in the current installer, and I’ll tell you how to fix it for your already installed machine(s). You’re absolutely on the right track, but there’s one bit missing (which you also are on the right track about, but for ColdFusion).

First thing is to setup Virtualmin to add Apache to the new domain group. Set this in the Server Template(s) that you use, in the field labeled "Add Apache user to Unix group for new servers?" setting the Apache username to "apache".

The second step is to set Virtualmin to create the appropriate “locked down” permissions that you’re using: 750. This goes in the field two down from the one mentioned above, labeled “Permissions on website subdirectory”.

To fix it for your existing domains, pull up the Users and Groups module, and edit the apache user. In the Secondary Groups multi-selector, select all of your virtual domain names (each new domain gets its own group, and Apache needs to be a member of all of them).

ColdFusion is a much harder problem, because adding it to the group opens up the hole all over again (unless it has a SuExec style wrapper like Apache), and so you might as well leave it just as it was to start with (actually this problem is much worse, if ColdFusion also needs write permissions). I don’t know enough about ColdFusion to make any kind of useful statement–we’re working on ColdFusion integration to some extent, and we’ll address this, if possible, once we understand it better.

Anyway, all installs from a week or so ago on already have this permissions and group setup enabled. It is quite a bit tighter, and a good recommendation for all hosting servers–whether running Virtualmin Professional or GPL or no administration tool at all.

Oh, I should also point out that it isn’t particularly insecure in the old way. Just not as locked down as we’d like. Writing into others homes was prohibited, and scripts and their output could be locked down as tight as desired (and presumably all scripts that generate sensitive data would have locked it down without having to be told). This just adds a layer of privacy on top of security. It means that users cannot “see into” the public_html directory of other users. Definitely a good thing, and it would be easy to make a mistake that could lead to security trouble with the old setup.

Next step, a real isolation model. Not sure how we’re going to achieve that yet, but it’ll be in there in a month or so one way or another.

Coldfusion comes in 2 flavours from Macromedia, Professional (Standard) or Enterprise.

Both contain resourse security features, in which you can defined which datasources, functions, tags and files are accessible. In the Standard edition this is "server wide" but in the Enterprise edition this can be specified on a per directory basis, thus creating a proper sandbox.

The docs are[a href="http://livedocs.macromedia.com/coldfusion/7/htmldocs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=ColdFusion_Documentation&file=00001177.htm">here</a>

I use the standard version atm, as i dont have many cf clients, i hope to upgrade to the enterprise version when i’ve got enough users to make it worthwhile, going need a lot to cover the £3000 upgrade price though!

Btw, if u want a copy of coldfusion to test, download the trial from macromedia and then google for "CED700". You will find a lot of DevNet license keys on the web, they are fully functional but place a "Not for production use" meta tag in all output.

Hey Chris,

That’s good to know. As you know, we’re working on adding some ColdFusion support to Virtualmin, and it’ll be nice to not have to buy it in order to work on it, as we’re on a shoestring until the VCs come knocking.

Sounds like security settings are probably something we’ll need to address in order to really get the most out of ColdFusion.

Anyway, thanks for the pointers. Let me know if you have trouble getting the new security settings working (but it sounds like you already have a pretty good understanding of what we’re doing and why).