I am on a Raspberry PI 3 model B that is running Apache and I have some
questions.
I am trying to implement a proper LAMP stack. I think that LAMP means
Linux, Apache, M usually means
mysql which is an SQL database, and P in my case means PHP. In my case,
I am going to use SQLITE3 eventually.
I need to call a proprietary program from Apache which communicates over
a local unix socket
with another proprietary program. I think that all proprietary software
belongs somewhere
under /opt. I want to put some proprietary software under /opt/apex
because apex is the name
of the company I am working for. I think the software should be in
/opt/apex/bin or
/opt/apex/cgi-bin that Apache will call. If Apache should never start a
program that is
outside the config file specified cgi-bin or the config file specified
document root or
a user's legitimate cgi-bin or a user's legitimate document root, how do
you start a
program that is somewhere under /opt? The program that Apache needs to
call is udp_client
which is under /opt somewhere. Apache's default cgi-bin is
/usr/lib/cgi-bin and that's
what I have it set to. Apache's default document root is /var/www and
that is what I
have Apache's document root currently set to.
I've thought of the following set up:
/opt/apex/bin:
udp_client r-xr-x--- steadyshot:<apache's-group>
controller r-xr-x--- steadyshot:steadyshot
Apache exexcutes a php script that calls udp_client.
An important excerpt from that php script follows:
<?php
...
shell_exec("/opt/apex/bin/udp_client 127.0.0.1 $port '/LoadPlot
\"$path\"'");
shell_exec("/opt/apex/bin/udp_client 127.0.0.1 $port \"/GotoImage
$group\"");
shell_exec("/opt/apex/bin/udp_client 127.0.0.1 $port '/Rotate 0,0,0'");
shell_exec("/opt/apex/bin/udp_client 127.0.0.1 $port '/GotoSection
\"$truss\"'");
...
?>
Note: $path and $truss were set from POST values. Another php script
was run
by Apache to finish the upload of a text file. That script called the
script
we are talking about and it posted the values that $path and $truss were
set
from in the excerpt. The $path is the absolute path to the file in
Apache's
upload directory. The $truss is a name extracted from that uploaded
text file.
Right now, that uploaded text file is under Apache's document root in
the
subdirectory uploads and is called whatever.tps or whatever.dxf.
The php excerpt above sends four commands and three related strings in
those
commands to the proprietary program controller. For now, $port comes
from
controller's settings file which will eventually be a sqlite3 database
file.
I need to know where this sqlite3 database file belongs on the Pi for
Apache
and controller to share it. Ignore the problem of our php script
setting
$port correctly, I'll solve that problem soon enough when the settings
that
controller and Apache share are no longer in a text file with ownership
pi.pi and mode set to 644.
Note: $port is a udp port that controller listens to on
localhost(localhost is 127.0.0.1).
Note: $group is set to a number that our script extracted from
controller's current_state.dat
text file. I don't know: what the owner of that text file should
be, what the group
should be, and where the file should be on my Pi's file system. I
do know that the
file is created by the proprietary program controller. I do know
that controller is
completely responsible for the maintenance of this text file. Our
php script currently
sets a variable called group by extracting it using grep, cat, and
cut on current_state.dat.
Current location of current_state.dat is say
/opt/apex/truss_files/current_state.dat.
Current owner is say steadyshot with current group set to say
steadyshot. Steadyshot
is a system level user. I don't know what the permissions should
be on controller's
file for Apache to extract what is needed from it. Maybe
controller's state file should
be a sqlite3 database file as well. Currently, the mode of
controller's settings.config
is 644. Apache of course can read a world readable text file.
Should a controller file that Apache needs to read be world
readable or should Apache have
as a supplementary group a group that is allowed to read
controller's file? Second problem,
where should this file that controller needs to share with Apache
be? Currently,
current_state.dat is in a home directory where I don't Apache
should have access or
it is under /opt somewhere where possibly Apache should not have
access.
The $path is to a local text file that controller must be able to read.
This text file was uploaded to the Apache server by a remote client.
The file will be in /var/www/uploads and will be named <some-name.tps>
or <some-name.dxf> with ownership www-data:www-data and the file's mode
currently gets set to 644. Controller can currently read the file
because of the last 4 in 644. My document root is /var/www by the way,
don't know if that's proper anymore. Comments needed on whether current
the ownership of the file and the current mode of the file is proper for
a LAMP stack. Should the text file be world readable after it is
uploaded by Apache from say a Windows client and should this text file
remain world readable indefinitely? Should a file that is uploaded to
Apache server ever be owned by a user or group that is different from
the user and group that Apache is running under? I'm asking from a
security standpoint.
Let's say that controller is running under a system account, call this
account steadyshot. What is the standard way to allow controller
running as steadyshot to read Apache's uploaded files? I don't think
controller should have Apache's group as a supplemental group. I prefer
to not mess with supplemental groups. I don't know from a security
standpoint if Apache's uploaded files should ever be world readable by
any random program running locally. You can't read a file owned by
another user and another group when that group is not one of your
supplementary groups and that file is not world readable. Should any
file that Apache uploaded have an owner other than what Apache is
running as? Say that Apache is running as user and group www-data.
Apache's uploaded files then should have their ownership set to
www-data:www-data then. It hurts my head to imagine the ownership of
Apache's files being say steadyshot:www-data or possibly
www-data:steadyshot. Can Apache even set the owner or group of an
uploaded file to steadyshot? I guess you'd change group to steadyshot
with mode 644 on the file.
I think Apache should have permission to clear any file from uploads.
Controller creates a png image file (from <some-name.tps> or
<some-name.dxf>). Controller must copy to or create directly in
Apache's document root this png image file. I don't know what the
permissions and ownership of <some-name.png> created by controller
should be. Should controller be able to create files in /var/www
directly? The file has to get into Apache's document root and of course
Apache needs to display it. This png image will be of a truss defined
in the <some-name.tps> or <some-name.dxf> text file uploaded by Apache
earlier. A dxf file defines one truss, a tps file defines 1 or more
trusses. What is the best way for controller to create a png image file
in Apache's document root with the correct ownership and permissions?
If controller can't write the file to Apache's document root where it
belongs, where should controller write it to and how should I get this
file copied to Apache's document with the correct permissions and
correct ownership? I'm thinking that I might need a daemon running
under root to copy this png image file to Apache's document root and
set the permissions and ownership on that copy correctly.
Currently, my Apache document root:
pi:/home/pi $ ls -l /var
total 102440
...
drwxrwx--- 8 pi www-data 4096 Jan 10 10:55 www
...
The user and group ownership of Apache's document root on my Pi is
pi:www-data. I want to get
rid of the pi user for security reasons. What is the appropriate user
and group for Apache's
document root? What is the appropriate mode for Apache's document root?
I assume that the ownership of my Apache document root should be
www-data.www-data.
I'm thinking that files in the document root which are static web pages
should be mode 550.
I'm thinking that every file in Apache's document root should be owned
by Apache's owner
with the group set to Apache's group. Should any file in or below
Apache's document
root be owned by any user or any group that Apache is not running as?
If the mode of the document root is 770, then programs which are not
running as the user that www is
set to and which do not have as a supplementary or primary group the
group that www is set to can't write anything to the directory or read
anything in the directory. I'm fairly certain that the owner of
Apache's document root should be the user that Apache is running as.
That leaves possibly setting the group to something else or making the
document root world readable and world writable. Maybe I need to set up
a group that Apache and other programs that need to manipulate files in
Apache's document root share. I set up the document root's ownership to
say www-data:apache-writers. Every single program on my Pi that needs
to place files in the document root has as a supplementary group
apache-writers. This forces me to set up the supplementary group
apache-writers for multiple users on my Pi(probably multiple system
users). Again, I don't know what the standard way to allow multiple
programs owned by different system accounts to manipulate files in
Apache's document root. I also don't know what the permissions and
ownership should be on files in Apache's document root. Problem, files
that are uploaded by Apache may have to have a group change from
Apache's group to the shared group. I'm assuming that the Apache group
should never be a supplementary group of other programs on my Pi or else
I will just have programs set the group on files in Apache's root to
Apache's group.
_______________________________________________
PLUG mailing list
[email protected]
http://lists.pdxlinux.org/mailman/listinfo/plug
