secure PUT with Apache 1.2.5

secure PUT with Apache 1.2.5

Post by Lawson Fish » Fri, 13 Feb 1998 04:00:00



I followed the Apache Week article "Publishing Pages with PUT", and all
ran fine right out of the box. When I went to add a little security to
this, I lost my PUT. I now get the following error:

        Error Publishing File
        An error occurred publishing this file
        (Cannot write to /users/elf/public_html/COPYRIGHT.html).

The changes I made were all to the access.conf file:

        # make the PUT script available only to group putusers
        <Location /cgi-bin/putscript*>
        AuthType Basic
        AuthName Authorised PUT Publishers
        AuthGroupFile /opt/apache/.putusers
        AuthUserFile /opt/apache/.putpasswords
        require group putusers
        </Location>

        <Directory /users>
        Options Indexes IncludesNoExec FollowSymLinks MultiViews
        AllowOverride FileInfo AuthConfig Limit
        order allow,deny
        allow from all

        # limit PUT
        AuthType Basic
        AuthName Authorised PUT Publishers
        AuthGroupFile /opt/apache/.putusers
        AuthUserFile /opt/apache/.putpasswords
        Script PUT /cgi-bin/putscript
        <Limit PUT>
        require group putusers
        </Limit>
        </Directory>

The /opt/apache/.putusers file contains
        putusers: lawson elf

The /opt/apache/.putpasswords file contains:
        lawson:not_my_real_encrypted_password
        elf:not_my_real_encrypted_password

Both these files are readable by all. The ~elf/public_html directory
is writable by elf only (755 elf:users). I don't think I made the
stupid mistake....

I'm not trying to have the tightest security possible, but I'd like to
have a easily implemented amount. I was guessing on the <Location> stuff.
Was this the way to go? Where did I mess up.

Thanks, I'm just a parent volunteer at my kids school trying to make
web publishing easier for them. I'm new to httpd stuff, but learning quick!

Any help will be greatly appreciated by 300 kids.

--------

 
 
 

secure PUT with Apache 1.2.5

Post by Paul Sutto » Sat, 14 Feb 1998 04:00:00



>I followed the Apache Week article "Publishing Pages with PUT", and all
>ran fine right out of the box. When I went to add a little security to
>this, I lost my PUT. I now get the following error:

> Error Publishing File
> An error occurred publishing this file
> (Cannot write to /users/elf/public_html/COPYRIGHT.html).

If you are using Apache Week's "put1" script, it writes a log
of the error message to /tmp/put1.log. Have a look at that
file for the real reason (it, for I hope obvious reasons,
does not tell the uploader the real reason for the error!).

Quote:>Both these files are readable by all. The ~elf/public_html directory
>is writable by elf only (755 elf:users). I don't think I made the
>stupid mistake....

The put1 script will be running as the *httpd* user, not you (assuming
you started Apache running as root). So the public_html directory needs
to be writable by the httpd user (see the User directive in your
httpd.conf). This is part of the reason by the Apache Week article
covers security in detail. It is difficult to make uploading
easy while maintaining adequate levels of security.

You might also want to look at using suEXEC to change who the
CGI program runs as.

Paul
--
Paul Sutton
Apache Week ..... latest Apache news ..... http://www.apacheweek.com/

 
 
 

secure PUT with Apache 1.2.5

Post by Lawson Fish » Sun, 15 Feb 1998 04:00:00



>You might also want to look at using suEXEC to change who the
>CGI program runs as.

OK, a closer reading of the PUT docs leads me to suEXEC, which is now
compiled & installed correctly ( I got the suEXEC message when I restarted
the server).

   ace:~/apache# /opt/apache/start-httpd
   Starting httpd...
   Configuring Apache for use with suexec wrapper.

Now, I think I want to try the ~ID option:

   suEXEC can also be used to to execute CGI programs as the user to
   which the request is being directed.  This is accomplished by using
   the ~ character prefixing the user ID for whom execution is desired.
   The only requirement needed for this feature to work is for CGI
   execution to be enabled for the user and that the script must meet the
   scrutiny of the security checks above.

I assume that in Netscape composer that I use ~elf (rather than the real
login of elf) in the "Publish Files" dialog. I've tried both (elf & ~elf),
 and get the message

       hplabs.hpl.hp.com elf /users/elf/public_html/COPYRIGHT1.html
       status 500 (Cannot write to /users/elf/public_html/COPYRIGHT1.html)

in the /tmp/put1.log

If I open up ~elf/public_html to be writable by all, I can PUT fine.
I don't see any entries in my cgi.log file either. I am seeing some entries
from a cgi script in a user'a area:

    [17:10:03 13-02-98]: uid: (akosut/akosut) gid: (admin/admin) email.cgi
    [17:14:28 13-02-98]: uid: (akosut/akosut) gid: (admin/admin) list.cgi
    [17:14:28 13-02-98]: command not in docroot
                         (/users/akosut/startrek/l/list.cgi)

Which I don't have a clue about (other than Alexei is on the Apache team &
graduated from Nueva School.... is this relevant?)

So, I think I have all but the suexec working. It must be progress :-)

Thanks

-------
Lawson Fisher

 
 
 

1. Secure Secure Secure

O.k...
So...
Rookie question here...
We are running Red Hat Linux and have setup our DNS box and Web Servers,

All is well.
Now.....We want to be able to run Secure web sites on this system and do
not have the slightest clue as to how to do it.
I have been told I have to find some "hard to get version of Apache"
that supports 128 bit encryption...
Basically...
what do I need to do to be able to host secure web sites.
Buy a site certificate?........Where?
What software do we need.?
Can we do this just using cgi scripts?
Any suggestions ????

Please....if you are able to clarify this whole secure site thing...drop
me an e mail at

I will really appreciate it.....

thanks in advance..

Brian

2. Masquerade and X

3. in ftp, put put *`date '+%Y%m%d'` doesn't work

4. pthreads how?

5. TELES-CART

6. Letters that SCO has put out can be safely put in the wastebasket!!!

7. very slow rebuilt for RAID15 and RAID51

8. Nixon, put the Nix on the REVOLUTION, raygun, Reagan, wanted to put ray sky

9. in ftp, put put *`date '+%Y%m%d'` doesn't work

10. HTTP Put in Apache

11. Apache PUT and Delphi client

12. Apache and PUT