Does adding an user to the apache group creates a security hole?

security linux apache-2.2

Solution 1:

Any permission setting can create a security issue in some environments, if the impact of the permissions are not understood.

Adding a user to a group, will generally not give any special privileges to that group. Files owned by the user will not normally be visible to members on that group, since you are probably not setting that group as the default group for that user.

If the user uses sg or something to create files so that group has access to the file, then any members of that group will to the file. If that person creates some file or directory and grants read-write privileges to that group, then potentially, a bug in the web server or code being served could be exploited to store arbitrary files in that directory, and serve that out.

In some kind of multi-tenant arrangement granting permissions to the apache group may allow a tenant to see data created and owned by another tenant.

In any case, just take some time and use the find command with the -gid option to filed files and directories on your system that belong to that group. That will let you see what you are granting access to, when you add a user to a group.

Related

Is there any way to build a linux software raid system without all drives?
How do I prevent one IP from creating a DNS entry on a multi-homed server?
Connecting to SQL server instance on VM via host-only network
IP Table, what does this construct mean ::INPUT ACCEPT [0:0]
Varnish purge on POST or PUT
How to disable ICMP redirect packets in Cisco IOS?
Linux Load Averages and HyperThreads
iSCSI SAN - Network adapter bottleneck
Authenticating to Exchange 2010 smarthost?
RAID card w/1x mini-SAS connector : how do I physically connect 16 disks?
Why can I define structures and classes within a function in C++?
How to log exception and message with placeholders with SLF4J