Impossible access for simple user under /var/www (owned by root)

Discuss Advanced use case
1

Hi,

I recently discovered a new limitation (not really a bug I guess?) on my Yunohost server, but I cannot remember when it began (after which upgrade, or not). For information my yunohost server is totally up-to-date (I upgrade it very often).

I use the same server for both Yunohost and also as a generic webserver of mine, hosting some little static websites under /var/www. Historically, I pushed update to these projects using an rsync command from my computer. Even if the /var/www folder itself was owned by a system account (www-data or root? I don’t remember exactly) I once created subfolders for each of my little projects, these folders being owned by a simple user (uid 1000).

It works like a charm until recently: now, when I try to access these subfolders, either by rsync or directly on the server with a cd, I got a “Permission denied” error.

Logged in as the admin account, I don’t have this error, even if the folder does not belong to it. Obviously root has no problem either.

Here is the output of the ls command on /var/www:

$ ll /var/www
total 60K
drwxr-xr-x+ 15 root       root       4.0K Apr 12 23:23 .
drwxr-xr-x  12 root       root       4.0K Jul 16  2020 ..
drwxr-xr-x   5 simpleuser simpleuser 4.0K Apr 19 16:04 project1
drwxr-xr-x  11 simpleuser www-data   4.0K Dec 30 13:41 project2
drwxr-xr-x   2 root       root       4.0K Dec  6  2018 html
drwxr-xr-x  14 root       root       4.0K Mar  5 11:10 roundcube
[…]

The only thing which looks like different from other system I already manage, is the + sign at the end of the ACLs bits of the /var/www directory. I must admit I’m not a ACL UNIX expert and only understand the minimal things around chmod/chown :confused: Thus I wonder if it is not the thing called “setuid” or “setgid” or even “sticky bit”, but I’ve no idea how it appears, what it is about and how to work with. On another server of mine, without yunohost, but on the same Debian version, I don’t see that + sign.

Looking at the man page of chmod, I stupidly tried a simple chmod 00755 /var/www as root to remove setuid if it was that. But it changed nothing and the + is still there.

So any help would be welcome, to give me some directions to understand what happen (what is this +? Is it safe to remove it? and how?)

Thank you very much!

2

Yes, /var/www has some specific ACL permissions for security reasons, to prevent malicious yunohost users to access secrets or other stuff in these folders

ACL are different from the suid and sticky bit. They are basically an extended version of the classic UNIX permissions (which are okay for 99% of cases, but sometimes you just can’t do what you want with them apart from creating a gazillion amount of groups)

You can get and set acl with the getfacl and setfacl commands

Basically I think to solve your specific need, you may want to authorize the relevant user as an additional owner of the folder with at least +x permission

1 Like
3

Thank you very much for your quick answer!

I didn’t know about {get,set}facl commands, but (without knowing much about them now than before I admit xD ), their man pages are very complete and their usage is very straight forward.

The weird difference between my simpleuser and admin comes from the fact that the specific ACL given to /var/www explicitely remove all UNIX permissions to the members of the group all_users, which my simpleuser is part of, but not admin, who inherits the other UNIX permission, granting him r-x. When you know that everything make sense :slight_smile:

As you advised me, this simple command did the trick: setfacl -m u:simpleuser:x www.

Thanks again for your answer and your time :+1: :heart:

2 Likes
4

Sorry to thread hijack, but I have a related query.

I use a static site generator too, Hugo, and I cannot rsync files directly into /var/www.

Are there any major security implications I should be aware of to make the admin user the owner of that directory?

5

The main point about security is that permissions should be as much restricted to who needs them. In the past, /var/www had very wide permissions, in particular allowing any yunohost user (NB : those created with yunohost, not referring to unix users here) to access directories inside /var/www/ and possibly allowing access to a malicious user to secrets.

So basically it’s okayish to allow admin to access /var/www - or to allow one specific user to allow going through /var/www (and ideally don’t dump you hugo files in /var/www directly but preferrably in a /var/www/hugowebiste or whatever name :wink: )

1 Like