[gentoo-dev] RFC: UID/GID assignment for apache (81)

[gentoo-dev] RFC: UID/GID assignment for apache (81)

[Lars Wendler]

[-- Attachment #1: Type: text/plain, Size: 483 bytes --]

I would like to reserve UID/GID 81 for apache (www-servers/apache).

This is the historical UID/GID for apache user in Gentoo.
Fedora and RedHat use UID/GID 48. Arch Linux has no
"apache" user but a "http" user with UID/GID 33 (which is already
reserved in Gentoo).

Here are the commits for possible review:
https://github.com/Polynomial-C/gentoo/commits/accts-apache

-- 
Lars Wendler
Gentoo package maintainer
GPG: 21CC CF02 4586 0A07 ED93  9F68 498F E765 960E 9B39

[-- Attachment #2: Digitale Signatur von OpenPGP --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] RFC: UID/GID assignment for apache (81)

[Michael Orlitzky]

On 8/13/19 1:14 PM, Lars Wendler wrote:
> I would like to reserve UID/GID 81 for apache (www-servers/apache).
> 
> This is the historical UID/GID for apache user in Gentoo.
> Fedora and RedHat use UID/GID 48. Arch Linux has no
> "apache" user but a "http" user with UID/GID 33 (which is already
> reserved in Gentoo).
> 
> Here are the commits for possible review:
> https://github.com/Polynomial-C/gentoo/commits/accts-apache
> 

By setting /var/www as apache's home directory, we're going to wind up
with /var/www being owned by apache:root. That's not quite right, for a
couple reasons:

  * The anonymous website user shouldn't be able to delete the entire
    web hierarchy using e.g. a wordpress exploit.

  * Every other web server wants to share /var/www, too.

For example, www-servers/cherokee wants /var/www to be the home
directory for the cherokee user, as does www-servers/ocsigenserver.
Hiawatha stores stuff under /var/www/hiawatha, and just about everybody
uses /var/www/localhost for the default vhost.

Thinking ahead -- would anything bad happen if we left the home
directory at its default? I don't think our default apache config needs
to own /var/www for any reason, but I'm not certain.

Re: [gentoo-dev] RFC: UID/GID assignment for apache (81)

[Lars Wendler]

[-- Attachment #1: Type: text/plain, Size: 1583 bytes --]

Hi Michael,

On Tue, 13 Aug 2019 13:39:34 -0400 Michael Orlitzky wrote:

>On 8/13/19 1:14 PM, Lars Wendler wrote:
>> I would like to reserve UID/GID 81 for apache (www-servers/apache).
>> 
>> This is the historical UID/GID for apache user in Gentoo.
>> Fedora and RedHat use UID/GID 48. Arch Linux has no
>> "apache" user but a "http" user with UID/GID 33 (which is already
>> reserved in Gentoo).
>> 
>> Here are the commits for possible review:
>> https://github.com/Polynomial-C/gentoo/commits/accts-apache
>> 
>
>By setting /var/www as apache's home directory, we're going to wind up
>with /var/www being owned by apache:root. That's not quite right, for a
>couple reasons:
>
>  * The anonymous website user shouldn't be able to delete the entire
>    web hierarchy using e.g. a wordpress exploit.
>
>  * Every other web server wants to share /var/www, too.
>
>For example, www-servers/cherokee wants /var/www to be the home
>directory for the cherokee user, as does www-servers/ocsigenserver.
>Hiawatha stores stuff under /var/www/hiawatha, and just about everybody
>uses /var/www/localhost for the default vhost.
>
>Thinking ahead -- would anything bad happen if we left the home
>directory at its default? I don't think our default apache config needs
>to own /var/www for any reason, but I'm not certain.
>

thanks for the review. I've force-pushed the acct-user/apache commit
with ACCT_USER_HOME_OWNER being set to root:root.

Lars
-- 
Lars Wendler
Gentoo package maintainer
GPG: 21CC CF02 4586 0A07 ED93  9F68 498F E765 960E 9B39

[-- Attachment #2: Digitale Signatur von OpenPGP --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] RFC: UID/GID assignment for apache (81)

[Mike Gilbert]

On Tue, Aug 13, 2019 at 1:39 PM Michael Orlitzky <mjo@gentoo.org> wrote:
>
> On 8/13/19 1:14 PM, Lars Wendler wrote:
> > I would like to reserve UID/GID 81 for apache (www-servers/apache).
> >
> > This is the historical UID/GID for apache user in Gentoo.
> > Fedora and RedHat use UID/GID 48. Arch Linux has no
> > "apache" user but a "http" user with UID/GID 33 (which is already
> > reserved in Gentoo).
> >
> > Here are the commits for possible review:
> > https://github.com/Polynomial-C/gentoo/commits/accts-apache
> >
>
> By setting /var/www as apache's home directory, we're going to wind up
> with /var/www being owned by apache:root.

The ebuild sets ACCT_USER_HOME_OWNER=root:root.

Re: [gentoo-dev] RFC: UID/GID assignment for apache (81)

[Michael Orlitzky]

On 8/13/19 1:53 PM, Lars Wendler wrote:
> 
> thanks for the review. I've force-pushed the acct-user/apache commit
> with ACCT_USER_HOME_OWNER being set to root:root.
> 

Is there any benefit to

  ACCT_USER_HOME=/var/www
  ACCT_USER_HOME_OWNER=root:root

versus

  keepdir /var/www

in the eclass?

I think root:root is correct for /var/www, but setting it explicitly
will clobber any existing permissions that the administrator or other
packages have set. For example, if my web developers have write access
to /var/www via group membership, then when I install acct-user/apache,
/var/www will get set back to root:root with mode 755 and they'll be
locked out temporarily.

Re: [gentoo-dev] RFC: UID/GID assignment for apache (81)

[Lars Wendler]

[-- Attachment #1: Type: text/plain, Size: 1023 bytes --]

On Tue, 13 Aug 2019 14:21:29 -0400 Michael Orlitzky wrote:

>On 8/13/19 1:53 PM, Lars Wendler wrote:
>> 
>> thanks for the review. I've force-pushed the acct-user/apache commit
>> with ACCT_USER_HOME_OWNER being set to root:root.
>> 
>
>Is there any benefit to
>
>  ACCT_USER_HOME=/var/www
>  ACCT_USER_HOME_OWNER=root:root
>
>versus
>
>  keepdir /var/www
>
>in the eclass?

If we leave ACCT_USER_HOME empty HOME will be set to
/dev/null for apache user. I don't know if this is what we want.

>I think root:root is correct for /var/www, but setting it explicitly
>will clobber any existing permissions that the administrator or other
>packages have set. For example, if my web developers have write access
>to /var/www via group membership, then when I install acct-user/apache,
>/var/www will get set back to root:root with mode 755 and they'll be
>locked out temporarily.
>

Lars

-- 
Lars Wendler
Gentoo package maintainer
GPG: 21CC CF02 4586 0A07 ED93  9F68 498F E765 960E 9B39



[-- Attachment #2: Digitale Signatur von OpenPGP --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] RFC: UID/GID assignment for apache (81)

[Michael Orlitzky]

On 8/13/19 2:30 PM, Lars Wendler wrote:
> 
> If we leave ACCT_USER_HOME empty HOME will be set to
> /dev/null for apache user. I don't know if this is what we want.
I'm not 100% sure either, but it's pretty likely that if an unwritable
root-owned home directory would work, then so would /dev/null.

(It works fine on our web servers, but nothing is actually running as
"apache" on them.)

Re: [gentoo-dev] RFC: UID/GID assignment for apache (81)

[Lars Wendler]

[-- Attachment #1: Type: text/plain, Size: 755 bytes --]

On Tue, 13 Aug 2019 14:43:11 -0400 Michael Orlitzky wrote:

>On 8/13/19 2:30 PM, Lars Wendler wrote:
>> 
>> If we leave ACCT_USER_HOME empty HOME will be set to
>> /dev/null for apache user. I don't know if this is what we want.
>I'm not 100% sure either, but it's pretty likely that if an unwritable
>root-owned home directory would work, then so would /dev/null.
>
>(It works fine on our web servers, but nothing is actually running as
>"apache" on them.)
>

I'm not really sure what the impact might be. I have only one single
apache installation and that is a productive one. I do not want to mess
with that installation.

Lars

-- 
Lars Wendler
Gentoo package maintainer
GPG: 21CC CF02 4586 0A07 ED93  9F68 498F E765 960E 9B39

[-- Attachment #2: Digitale Signatur von OpenPGP --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] RFC: UID/GID assignment for apache (81)

[Michael Orlitzky]

On 8/13/19 3:15 PM, Lars Wendler wrote:
> 
> I'm not really sure what the impact might be. I have only one single
> apache installation and that is a productive one. I do not want to mess
> with that installation.
> 

I'm not trying to hassle you, but now's the time to get it right. The
old enewuser method would leave an existing directory alone, but (to
support homedir/permission fixes in new revisions) acct-user.eclass will
modify the ownership and permissions of an existing directory. As a
result, it's especially important that we not choose a sensitive homedir
and enforce permissions/ownership that we might not really need.