程序可执行文件和日志文件的正确文件权限应该是什么?
[英]What should be the right file permissions for program executables and logs files?
问题描述
I have written a Linux system wide C++ program /usr/bin/PROG_X that uses a configuration file /etc/PROG_X.conf and log file /var/PROG_X.log . 
我已经编写了一个Linux系统范围的C ++程序/usr/bin/PROG_X ,它使用配置文件/etc/PROG_X.conf和日志文件/var/PROG_X.log 。
Now I need to call this program, after strong authentication, from the web using apache web server and php. 现在,在经过严格的身份验证之后,我需要使用apache Web服务器和php从Web调用此程序。 Calling the program may involve changing configuration files and will change, of course, log files. 调用该程序可能涉及更改配置文件,并且当然也会更改日志文件。
I am interested in keeping SELinux enabled. 我对保持SELinux启用感兴趣。
My Querstion is: What user/group and what file permissions should be set for the binary file, configuration files and log files for proper and secure operation? 我的问题是: 应该为二进制文件,配置文件和日志文件设置什么用户/组和什么文件权限,以确保正确和安全的操作?
2 个解决方案
解决方案1
2 已采纳 2010-08-14 13:42:48
For the most locked-down approach (assuming the log and config are sensitive): 对于锁定程度最高的方法(假设日志和配置敏感):
Apache runs as user 'www', 'progx' user and group exists for the sole purpose of running /usr/bin/PROG_X. Apache以用户“ www”,“ progx”用户和组的身份运行,其唯一目的是运行/ usr / bin / PROG_X。
/etc/PROG_X.conf is owned by root:progx, and has permissions 640 /etc/PROG_X.conf由root:progx拥有,并具有权限640
/var/PROG_X.log is owned by root:progx, and has permissions 660 /var/PROG_X.log由root:progx拥有,并具有权限660
/usr/bin/PROG_X is owned by progx:progx, and has permissions 500 / usr / bin / PROG_X由progx:progx拥有,并具有权限500
/etc/sudoers allows www to run only /usr/bin/PROG_X as progx. / etc / sudoers允许www仅将/ usr / bin / PROG_X作为progx运行。
Thus, only root and progx can see the config or read/write the log file, and only root can modify the config. 因此,只有root和progx可以看到配置或读取/写入日志文件,只有root可以修改配置。 Only progx can run the program, but apache can specifically launch your program as progx via sudo. 只有progx可以运行该程序,但是apache可以通过sudo作为progx专门启动您的程序。
[Edit: missed the part that said the program may need to change its config file... so the permissions would be 660 instead] [编辑:错过了说该程序可能需要更改其配置文件的部分……因此权限将改为660]
解决方案2
1 2010-08-14 13:42:06
Well, I don't know about SELinux, but there several "traditional" solutions come to mind: 好吧,我不了解SELinux,但是想到了几种“传统”解决方案:
First, chown root /usr/bin/PROG_X and then set the setuid bit with chmod +s /usr/bin/PROG_X . 首先,用chown root /usr/bin/PROG_X ,然后用chmod +s /usr/bin/PROG_X设置setuid位。 The setuid bit causes the program to not run as the current user but as the owner of the file (in that case, root). setuid位使程序不以当前用户身份运行,而是以文件所有者(在这种情况下为root)身份运行。 This means you would need to really make sure your program is as secure as possible. 这意味着您需要真正确保程序尽可能安全。 So use with care. 因此,请谨慎使用。
An alternative to setuid might be to add an appropriate entry in /etc/sudoers for the program and call it via sudo . setuid的替代方法是在/etc/sudoers为程序添加一个适当的条目,然后通过sudo调用。 But it has the same security implications as the program will run as root, but at least you can be more fine-grained with the access (eg you could only allow the "www" user to run the program as root). 但这具有与程序将作为root用户运行相同的安全隐患,但是至少您可以更精细地进行访问(例如,您只能允许“ www”用户以root用户身份运行程序)。
Another solution might be to chown root:wwwrun all_of_the_files_that_PROG_X_need_to_modify . 另一个解决方案可能是对chown root:wwwrun all_of_the_files_that_PROG_X_need_to_modify进行chown root:wwwrun all_of_the_files_that_PROG_X_need_to_modify 。 But that would only work if you know exactly which files and also if that set of files doesn't change. 但这只有在您确切知道哪些文件以及那组文件没有更改的情况下才有效。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.