4

I created myself a NAT for home use (Ubuntu+Samba+Greyhole+Apache+MySQL+other web server related stuff). 90% of files I store there are pictures that i really don't want to lose (that's why Greyhole). As image gallery is getting bigger and bigger I got an idea to create web image gallery where I could sort images trough tags which would enable search later on etc. Creating gallery isn't really a problem as i'm pretty handy with php/mysql/css/js.

My problem is security and system level file sharing and accessibility.

Web application (gallery) dir is: var/www/html with owner www-data:www-data.

and pictures are in /LandingZone/images (well, symlinks to pictures are there, as images themselves are copyed and moved around by greyhole).

/LandingZone/images ownership is: myusername1:greyhole (greyhole being group where there is: myusername1 and myusername2 users as they both need to have access to shares read/write).

Now, what I need to do is somehow enable read only access to /LandingZone/images for www-data user without putting images to risk and I don't know Linux groups / users permission as good as I'd like to to feel comfortable and test on my own.

Web server itself is accessible through internet as I set up dyndns like service so I wouldn't like to for example put www-data user into greyhole group and enable attacker to delete all pictures or something like that.

Is there a way to somehow create read only symlinks for that folder and give www-user power to read files from it?

I did manage to get that share to be somehow "liked" from /var/www/html/gallery/images by using:

$ mount --bind /LandingZone/images /var/www/html/gallery/images
$ mount -o remount,ro /var/www/html/gallery/images

but my web server has no access to those files because of ownership (I guess).

Now how do I deal with it? Can I just put www-data user into greyhole group so web server gets access to files and still be safe that for example attacker that takes over control of gallery software wont be able to delete images? Or should i do it some other way by not even using mount?

I'm open to suggestions.

Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
Ljudotina
  • 41

1 Answers1

-1

Best type of security of file of web is read from db, if possible import into a db such as mysql or postgresql and when user request, you fetch from db.

You have two types of picture files:

  • files are bieng viewed as part of your html ### you have to save as file no db
  • files are being created as part of your content ### you have to save-restore into/from db
PersianGulf
  • 10,850
  • My gallery will have db, and will be displayed inside html, but problem is that apache can not access thhem, as he ha sno permissions to access those files. – Ljudotina Sep 23 '14 at 07:43
  • Do you have httaccess file? if true, or disable or delete in image dir. – PersianGulf Sep 23 '14 at 12:42
  • No, i do not have .htaccess file. I was not aware that .htaccess can have affect on ownership of directory. What i basicly need is to enable for user1 (www-data in my case) to have read only access to directory that is under ownership of user2:group2 – Ljudotina Sep 23 '14 at 16:16
  • use acl packages and get user and group www-data to your images. – PersianGulf Sep 23 '14 at 18:14
  • 1
    https://wiki.archlinux.org/index.php/Access_Control_Lists – PersianGulf Sep 23 '14 at 18:15
  • ACL it is...thanks...id idint know it exists...i tought my only hope was some kind of kinky mix of chmod / chown / simlink / readonly mount, thanks. – Ljudotina Sep 23 '14 at 18:24