CentOS - Aug 2011 - Using Samba to share Apache web root, securely

I'm setting up a shared web server running Apache.  Each web root will
belong to a department, which has a corresponding Active Directory group to
give access.  So far I've got samba working and such, but am having some
trouble wrapping my head around the necessary permissions to make all this
work, especially securely.  So far I've found that both the POSIX and the
ACL permissions must both allow a user to write to directory which is
proving problematic.  Is it better to give the web root directories very
"loose" permissions and have Samba manage who can access the folders?

A few options I've come across would have a user's logged in account
mapped
to the "apache" user through samba, using the "force user",
but that seems
like a security risk allowing users to be apache.  Another option I
currently have working is using a default ACL for apache to give the web
server read of all the files.  The problem I have with this is some
directories require write and some files should have read only (like db
config files), so again a global permission set doesn't seem to work.

I'd be very interested in knowing how someone has solved a problem like
this.

Thanks
- Trey
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20110808/85eb1081/attachment-0003.html>

On Mon, 2011-08-08 at 21:32 -0500, Trey Dockendorf
wrote:
> I'm setting up a shared web server running Apache.  Each web root will
> belong to a department, which has a corresponding Active Directory
> group to give access.  So far I've got samba working and such, but am
> having some trouble wrapping my head around the necessary permissions
> to make all this work, especially securely.  So far I've found that
> both the POSIX and the ACL permissions must both allow a user to write
> to directory which is proving problematic.  Is it better to give the
> web root directories very "loose" permissions and have Samba
manage
> who can access the folders?
> 
> 
> A few options I've come across would have a user's logged in
account
> mapped to the "apache" user through samba, using the "force
user", but
> that seems like a security risk allowing users to be apache.  Another
> option I currently have working is using a default ACL for apache to
> give the web server read of all the files.  The problem I have with
> this is some directories require write and some files should have read
> only (like db config files), so again a global permission set doesn't
> seem to work.
> 
> 
> I'd be very interested in knowing how someone has solved a problem
> like this.
----
mkdir /var/www/html/department_a
chown root:department_a /var/www/html/department_a
chmod g+ws /var/www/html/department_a

smb.conf

[Department A Web]
        comment = Department A Web Server
        browseable = Yes # your call on this one
        writeable = yes
        path = /var/www/html/department_a
        directory mask = 775
        create mask = 664
        valid users = @department_a

That should work. If you have spaces in group names (one of the things I
love about Windows), use @"department a" 

Craig

Trey Dockendorf wrote:
> I'm setting up a shared web server running Apache.  Each web root will
> belong to a department, which has a corresponding Active Directory group
> to give access.  So far I've got samba working and such, but am having
> some trouble wrapping my head around the necessary permissions to make
<snip>
> I'd be very interested in knowing how someone has solved a problem like
> this.
What I've done, where developers, for example, need to put updated pages
in, is to have the directories owned by apache/httpd, but the *group* that
they belong to, and make it group writeable.

         mark

On Tuesday, August 09, 2011 05:34:52 PM Trey Dockendorf
wrote:
> That will probably be the best option while we move these sites to a CMS.
>  The users are accustomed to using Windows drive letters that are mapped by
> our AD to access their content, and I'd like to have to leave that
intact
> for now.
Just as a pointer, have you looked at some form of WebDAV?  Many CMS's
(Plone, for instance) can do WebDAV out of the box, and it's rather
transparent, especially with a frontend like Enfold Desktop.  You could then
migrate one user at a time, even, if you stage it properly.

It seems to be more efficient and at least as secure as SMB/CIFS shares are. 
And requires many fewer network 'concessions' to the protocol
involved....

On the first page of a google search for 'WebDAV "mapped drive
letter"' I find:
http://systembash.com/content/map-drive-letter-sftp-ssh-review/  which looks
pretty interesting to me....

Ng?y 09:32 09/08/2011, Trey Dockendorf vi?t:
> I'm setting up a shared web server running Apache. 
If they are OK with svn, why not go for svn+ssh and
and and svn update cronjob on httpd side?

I presume that human being always makes error,
so the reason is that you can track the change and save their ass of 
misoperation.

Cheers,

Nguyen Vu Hung