Linux security howto
My way to install ariadne under linux
Ariadne/Linux security settings
After installing ariadne under Linux The good people of muze asked me to document the way I set up things under Linux. (RedHat in this case, but things should work also under other Linux distro's)
The basic problem here are the files en session directories as they should be writeable for the webserver. But a chmod 777 would open these directories up for every user of the system.
And since the files directory contains all the files and templates, this is a seriouse security problem on a system with users, and at best sloppy security on every other system.
A secure installation can be split in a number of components. Server security, Apache level, system level and Ariadne. The server security is outside the scope of this document.
First we are going to create a group in which all the websites are going to be a member.
Create a user and group for the webserver. Personally I use web.web. Fix this in the httpd.conf and make sure that all apache's directories are owned by this user. Under RedHat that would mean a
chown -R web.web /home/httpd/
Once this is done you can close the directory for everybody besides the owner and the group.
chmod -R 770 /home/httpd/
In the /etc/httpd/conf/httpd.conf the
are important. Restart the server and everything should work as usual.
2.2. System level
The files which are created should have a mode rw for the owner and the group. This means that the umask for the web.web user should be 0002. To set this become root, then become the webuser. As webuser set the umask.
All files created through the webserver or one of it's processes are now readable and writeable for user web and everybody who is a member of the group web.
Now is it time to install ariadne. I normaly create an user for every website. Since an ariadne setup can contain more than one site they all share a system user. So become root and create a user:
This will create also an directory /home/muze. Login as the user muze and install ariadne as per the instructions. Just don't run the install.php script!
Now it's time to make the user muze a member of the web group. All the files and directories should be owned by the web group.
usermod muze -G web
chown -R muze.web muze
chmod -R u+rw,g+rw,o=
All the files and directories should now be read/writeable by all members of the web group. The only problem left is that files created from the commandline are not automatically owned by group. So finally we have to put the sticky bit on the files and session directories. If this bit is set, new files are owned by the same group as the directory in which they are created. Since we changed all the directories to being owned by the web group, with the sticky bit all created files are also owned by the web group.
chmod -R g+s files
chmod -R g+s sessions
finaly run the install script
php -f install.php
3. Final notes
probably you want to make your own useraccount member of the web group too. Most of these settings also work for a standalone setup without Ariadne.