Does adding an user to the apache group creates a security hole?
Solution 1:
Any permission setting can create a security issue in some environments, if the impact of the permissions are not understood.
Adding a user to a group, will generally not give any special privileges to that group. Files owned by the user will not normally be visible to members on that group, since you are probably not setting that group as the default group for that user.
If the user uses sg or something to create files so that group has access to the file, then any members of that group will to the file. If that person creates some file or directory and grants read-write privileges to that group, then potentially, a bug in the web server or code being served could be exploited to store arbitrary files in that directory, and serve that out.
In some kind of multi-tenant arrangement granting permissions to the apache group may allow a tenant to see data created and owned by another tenant.
In any case, just take some time and use the find
command with the -gid
option to filed files and directories on your system that belong to that group. That will let you see what you are granting access to, when you add a user to a group.