Add webserver "apache" user to other groups

No…i’m crying :sob:
We work on server that are located in some different factory. It aren’t connected to internet because are on secure isolated production lan. I have to travel to the factory to do the setting… and if the local “admin”, adding a user, can reset some “critical” (to made the php web application working) settings like this i have to travel and apply again the setting… it’s a very big trouble…

But… for now… i have to test your solution…
I’m creating a virtual machine… now i have to configure it like the server we have in production and test you solution…
I’m about to install phpmyadmin module for nethserver 6.5 from your repo :wink:

The option -P is to preserve to set acl following the symlinks in the ibay folders…you can test without the -P if you cannot write in the symlinked folder

quite sure that an action can be made to automatise the setfacl…

a script to automatise acl for apache write permission :

vim /etc/e-smith/events/actions/nethserver-full-apache-write

#!/usr/bin/perl
use esmith::ConfigDB;
use strict;

eval { require esmith::AccountsDB };
if($@) {
    exit(0); # AccountsDB is not available, exit
}

use esmith::AccountsDB;
my $db = esmith::ConfigDB->open_ro();
my $adb  = esmith::AccountsDB->open_ro();


my $event = shift || die("Missing event argument");
my $ibay = shift || die("Missing ibay argument");
my $ibaydir = '/var/lib/nethserver/ibay/' . $ibay;

my $httpdstatus = $adb->get_prop($ibay, 'HttpStatus') || 'disabled';
exit 0 if ($httpdstatus eq 'disabled');

my $httpwrite = $adb->get_prop($ibay,'HttpWritable') || 'disabled';

if ($httpwrite eq 'enabled') {
system ('/usr/bin/setfacl','-P','-R','-m','u:apache:rwX,d:u:apache:rwX', "$ibaydir") == '0'
|| die "Failed to set apache acl on the ibay $ibay\n";
}

then chmod the file

chmod 750 /etc/e-smith/events/actions/nethserver-full-apache-write

do symlinks to the action

ln -s ../actions/nethserver-full-apache-write /etc/e-smith/events/ibay-reset-permissions/S80nethserver-full-apache-write
ln -s ../actions/nethserver-full-apache-write /etc/e-smith/events/ibay-modify/S80nethserver-full-apache-write

now you must set as parameter for each Ibay HttpWritable to enabled (or disabled if you want to remove the full apache write permission in the Ibay)

db accounts setprop IBAYNAME HttpWritable enabled
signal-event ibay-modify IBAYNAME

you can see the acl on a folder or a file by doing

getfacl /path/2/your/folder/path

2 posts were merged into an existing topic: Old user cannot access samba shares

Setting the acl rule on both ibay folder the upload/download from the webserver/php works !
Thanks !

Now i have to test the script…

I would be never able to write a script to automatise that ! I don’t know perl language, i’m not so skilled.
Great works, thank you ! :wink:

Seems there is an error… when i try to reset permission from panel, this message is displayed:

Task completato con errori
S80nethserver-full-apache-write #2 (code 65280)

There is any log that can be useful for debug ?

Shared folders name are: condivisa ; applicazione

Is the script compatible with nethserver 6.5 or contain any variable/function that are for 6.7 version only?

Edit:
From messages log i’ve found this:

Global symbol "$httpdstatus" requires explicit package name at /etc/e-smith/events/ibay-reset-permissions/S80nethserver-full-apache-write line 20.

Any idea for the script correction ?

OK, a small typing error in the $httpdstatus variable declaration.
Here the correct script:

vim /etc/e-smith/events/actions/nethserver-full-apache-write

#!/usr/bin/perl
use esmith::ConfigDB;
use strict;

eval { require esmith::AccountsDB };
if($@) {
    exit(0); # AccountsDB is not available, exit
}

use esmith::AccountsDB;
my $db = esmith::ConfigDB->open_ro();
my $adb  = esmith::AccountsDB->open_ro();


my $event = shift || die("Missing event argument");
my $ibay = shift || die("Missing ibay argument");
my $ibaydir = '/var/lib/nethserver/ibay/' . $ibay;

my $httpdstatus = $adb->get_prop($ibay, 'HttpStatus') || 'disabled';
exit 0 if ($httpdstatus eq 'disabled');

my $httpwrite = $adb->get_prop($ibay,'HttpWritable') || 'disabled';

if ($httpwrite eq 'enabled') {
system ('/usr/bin/setfacl','-P','-R','-m','u:apache:rwX,d:u:apache:rwX', "$ibaydir") == '0'
|| die "Failed to set apache acl on the ibay $ibay\n";
}

copy and paste the correction I did of my script, it should be good, sorry for my fat fingers

I published the correction at the same time :wink:
But the script is not working as i expected… i have to set the apache to read and write on both shared folder, not only on the one that is the webroot…

you spoke about symlink

  • either add the option HttpWritable to enabled for each Ibay
  • or remove the ‘-P’ to follow symlink

I set the prop HttpWritable to enabled on both shared folder.
But the script apply the acl settings only to application shared folder because is the only folder that have HttpStatus “enabled”.
Using the script on the shard folder “condivisa” (file container) the script exit without applying the acl setting → HttpSatus “disabled”

ok, the script is here to let apache to get writable permissions, but if apache is not allowed to read your Ibay, there is maybe a nonsense ?

Either modify the script

-  my $httpdstatus = $adb->get_prop($ibay, 'HttpStatus') || 'disabled';
-  exit 0 if ($httpdstatus eq 'disabled');

or allow apache to read your ibay

Yes, It’s right…
To let apache read the folder i have to check “enable web access” in the menu of nethserver sharefolder module ?
But for security reason i don’t want that the directory is displayed “listed” on a webpage. Only the webapplication have to access to it (or the operator via samba).
Making the check “enable web access” automatically set the folder to be listed if the page server/sharedFolder/ is requested ?

did you try to remove the option ‘-P’ of the command setfacl ?

Like this normally you should follow symlinks, but this make me thing that for really special or particular cases you should drop a virtualhost in the /etc/http/conf.d and play with what you need.

or add in the script

  +  system ('/usr/bin/setfacl','-P','-R','-m','u:apache:rwX,d:u:apache:rwX', '/PATH/2/YOUR/SPECIAL/CASE/IBAY') == '0'
  + || die "Failed to set apache acl on the particular ibay \n";

This is the best way because if i reset the permission from application directory the right acl rule are set on both folder, but if the permission are reset from the file shared folder apache loose the acl write/read permission.

Now everything work :wink:

P.s. Removing -P option has no effect… acl settings are not applied to the entire file shared folder to which the symlink points…

1 Like

Hi, I just come back from holidays and see I lost a great discussion on this topic.

I want to remark that a web-application code should not be modifiable from the web server itself. Thus write permissions for apache must be tuned carefully. Also following symlinks for the web server could be a security problem, SELinux is by now permissive, and users could be allowed to create them.

Today, Shared Folders are overloaded with “web hosting” features, like .htwritable and Virtual host. As I wrote on the manual page they are not meant to be a complete web hosting solution.

Perhaps we should take back the Shared Folders module to the original idea of “file sharing”, and move the web hosting features to a specific module.

1 Like

As you noticed perhaps…but @Technet wants to be able to upload easily files to his server, hence the samba share combined with the apache server. Obviously files can be modified through ftp, webdav and manualy by scp… I would be more interested to add more web based features to the shared folder and why not nfs support.

One huge advantage is that your data is available whatever the chosen communication protocol…no need to duplicate it following a samba, nfs, web shares.

I agree concerning the full permissons to apache is not good usually, but sometime it is needed.

Some web application have the ability to update itself via a command triggered by cron tab o more usually by a click on a button on the admin panel… so the webserver in some occasions need the write permission.

I think that a web-hosting specific module will be welcome by nethserver’s user :wink:

OK, “in some occasions” write permissions are needed. If the normal application life does not require write permissions, could they be granted only during the install/upgrade, and revoked thereafter?

What are you thinking about?

I ran an experiment by adding apache to ws1, shared folder owner. The commands are:

 # lgroupmod -M apache ws1
 # getent group ws1
ws1:*:5000:admin,apache

Restarted httpd, to update process privileges. Now apache has write access to the shared folder.

The limitation is: if ws1 changes apache is removed from the list. An action could be written to make the change persistent. I’m planning to overtake this limitation in future versions of the Groups module.

1 Like