1

I would like to know how I can constraint a user to only be able to access and have RWX permissions to directories like /etc/httpd, /etc/php and /var/www/html as well as its own home directory.

Also I would like to be able to constraint this user to be able to only star/stop/restart apache service.

All I could think of is chroot, but I have just done that with one directory. Any ideas?

Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
VaTo
  • 3,101

2 Answers2

2

A jailed user won't be able to access those folders as-is. If you have acl enabled on the filesystem, you could create a regular user and control access to the directories by using an access control list.

To give user 'Bob' access to the directories, create a group, place Bob in that group and then recursively give the group access to all existing and newly created files in /etc/http/:

# groupadd WebAccessGroup
# usermod -a -G WebAccessGroup Bob
# setfacl -Rm d:g:WebAccessGroup:rwx,g:WebAccessGroup:rwx /etc/httpd/

You could also give just user "Bob" wrx access to /etc/httpd without creating a group:

# setfacl -Rm d:u:Bob:rwx,u:Bob:rwx /etc/httpd/

To allow the WebAccessGroup group to start and stop Apache, you could give the group sudo access to run the specific script that you call to start/stop Apache as root:

Use the 'visudo' command to add the following to your /etc/sudoers file:

# visudo
%WebAccessGroup   ALL=(root)    NOEXEC: /usr/bin/httpd

And then Bob would start Apache using sudo:

$ sudo /usr/sbin/httpd -k start

** Note: If you run Apache on a non-standard port as a non root user ("anotheruser" in this example), it's safer and better to change All=(root) to All=(anotheruser) and to run the start command like:

sudo -u anotheruser /usr/sbin/httpd -k start
L.Ray
  • 469
  • I think this is a very interesting approach. How can I make sure that I have acl enabled on my filesystem? – VaTo Jan 23 '18 at 21:36
  • You can run 'tune2fs -l /dev/ | grep acl' to check if acl is enabled on for your filesystem. Also, make sure that in /etc/fstab, you've included the acl flag when mounting your filesystem (I think "defaults" includes acl). – L.Ray Jan 23 '18 at 21:43
  • And to give them access to another directory, e.g. /etc/php I just add them with setfacl -Rm d:u:Bob:rwx,u:Bob:rwx /etc/php/ And I can keep adding them to all the directories I want to? Another question is, is this safe? I mean, with this approach there's no way they will be able to go out of that dierctory and execute other files, etc? – VaTo Jan 23 '18 at 22:01
  • Yes to your first question. Just run the came setfacl command against each directory you want to grant access to.... and yes to your second question. You're only giving access directory tree you specify, and only to the user you specify. Just make sure nothing you don't want to grant access to is under the directory path you specify. – L.Ray Jan 23 '18 at 22:19
  • Just a question, I'm getting an error when I try to execute the last command user bob is not allowed to execute sudo -u bob /usr/sbin/httpd -k start as bob on localhost – VaTo Jan 24 '18 at 01:19
  • Is /usr/sbin/httpd owned by bob? Can you paste the output of ls -l /usr/sbin/httpd and getfacl /usr/sbin/httpd? – L.Ray Jan 24 '18 at 01:26
  • Let us continue this discussion in chat. – VaTo Jan 24 '18 at 02:27
0

On Linux, you could use bind mounts to make other directories visible within a chroot:

# mkdir -p /users/chroot/var/www/html
# mount --bind /var/www/html /users/chroot/var/www/html 
etc.

To allow a user to restart a single service, you could use sudo and allow the user to run commands like service apache2 restart, and the like.

Having the user in a chroot and allowing the user to restart a service that lives outside the chroot might be difficult, though. It would require everything required by the service manager (systemd?) to be visible in the chroot. At that point, it's probably easier to run the whole server inside the same chroot (or container, or virtual machine).

ilkkachu
  • 138,973
  • But my concern is that you are saying that the user should be able to sudo which is something that I don't want the user to be able to do. I was thinking if by adding the user to the apache group would make the user be able to start/stop the service. – VaTo Jan 23 '18 at 21:11