Apache 2 on Mac - localhost requires authentication - macos

I'm using Apache 2 to run my localhost on Mac (Mavericks), and every time I add a file or a folder in the default directory /Library/WebServer/Documents (and its subdirectories) the system asks me to authenticate:
This is a problem specially when using frameworks like Symfony or Zend Framework because they can't have writing access to folders. What can I do to solve this?

Mac/Linux grants access on different levels:
Per user
Per group
Per everybody
The folder Library/WebServer/Documents outside of the logged-in user paradigm (you) therefore write access (and other access like execute) is only granted to the administrator of the computer (or so-called root) which isn't you however on most Mac environment the password of root is your password (different users with the same password).
You will want to modify Apache2 configuration and change the directory to a folder located within your user's directory which is something like /Users/{whatever is your username} (you will probably need to create the folder).
Once, you moved the content of /Library/WebServer/Documents into the new folder, make sure the permission are set properly. Refer to the following documentation at the chapter "How to Modify Permissions with the Info Window".
The reason why your Mac is asking for permissions to write files outside of your user's directory is for security reasons. Imagine if you download a file, execute it and grant access (by giving the root password) then the file could potentially be a virus and erase or do all kind of things on your computer.

Related

Folder Share permissions

I am having a weird issue that didn't used to happen. Perhaps windows update causes this?
We have an E drive partition created and I created a directory:
Test1
I shared it with administrators and everyone. Administrators have full access while everyone group only has read permissions but this folder only. I added a permission to allow full control to this folder and subfolder's and files to it and assigned it to domain admins. My jadmin#domain.local account is added to this group
I checked the security on the folder and the same permissions exist.
I created a directory within Test1 and called it New Folder, disabled inheritance and made sure explicit permissions for domain admins full control to all dir and subdir and files are added.
When i attempt to open this folder, i get a message:
"You don't currently have permission to access this folder. Click Continue to permanently get access to this folder".
When I Push Continue then an explicit permission for my user gets added to that folder. I am trying to prevent that from happening. If domain admins(my user added to this group) is added with full control. Why does this warning pop up and require my user to explicitly be added. How to prevent this from occurring?
I was expecting to be able to access the new folder directory without any warning and an explicit permission to be added
Check if you can access it with an elevated CMD.
Folders wich are protected for builtin administrators groups are supposed to be security relevant. These users should also not be used to administrate on server systems.
Increase security by creating a seperate admin group and dedicated permissions.
Alternatives are using a progam that can be started elevated, Like CMD, PowerShell, totalCommander, winscp (local part) and many more.
You could also administrate remote. That should remove the problem.
Another way would be to add "Interactive Logon" group to all of your permissions where you need to access.
Disabling UAC or removing administrators from the security settings is the least that I would suggest.

File access security for shared directories - Windows Server 2012 R2 - AD

Our application uses a shared directory to store files that are 'checked out', modified via our application, and then 'checked in' to a shared directory, which is being accessed via SMB (The environment is hosted on a set of AWS servers, and our end-users access it via Citrix).
All users have read, write, etc. permissions for the shared directory.
We've recently changed the architecture of the application a bit. Previously, each user had his/her own subdirectory in the shared directory where the checked in/checked out file was stored.
In the new architecture, the individual subdirectories aren't used, so that all files checked in by users are stored directly into the shared directory. Users are then allowed to checkout/checkin any file in the shared directory.
The checkout process involves doing a File.Copy of the library version of the file to the user's local, non-shared directory. The user then uses our application to make changes to the file, which is then saved locally and File.Copy'd back into the shared directory.
Except that in the new architecture, the 'checkout' operation fails when User 2 attempts to checkout a file that was originally checked in by User1. As near as we can tell, this is because when, for example, User 1 checks a file in to the shared directory, the file implicitly receives a security entry for his specific AD login. A subsequent File.Copy operation by User 2 gets a permission error. If a full admin for the host system removes the security entry for User 1, then the File.Copy from the shared directory to User 2's local directory works fine.
Note that both users are assigned to a group with read, write, modify, etc to the shared directory (but not 'full control').
This doesn't seem like that unusual of a situation. We haven't (yet) tried to see if the application can programmatically remove the security entry created on the checkin - even assuming that's possible, it would be nice not to have to resort to that. But we've not found any arrangement of security settings that works.
Any information or suggestions will be appreciated.
Thanks...
As requested:
\\citrixfile01\Shares\clients\002\library
ALIGHTENT\002.EightTwoConversion:(I)(OI)(CI)(M)
NT AUTHORITY\LOCAL SERVICE:(I)(OI)(CI)(RX)
S-1-5-21-3973462947-2300097736-545649627-500:(I)(OI)(CI)(F)
ALIGHTENT\citrix:(I)(OI)(CI)(F)
ALIGHTENT\alightcalc:(I)(OI)(CI)(M)
ALIGHTENT\Domain Admins:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
\\citrixfile01\Shares\clients\002\library\AML_AmPac_8.2.amox
ALIGHTENT\002.Admin1:(I)(M)
ALIGHTENT\citrix:(I)(F)
ALIGHTENT\AEAdmin2:(I)(M)
ALIGHTENT\Domain Admins:(I)(F)
BUILTIN\Administrators:(I)(F)
When a file is moved, Windows does not update the ACL to add or remove inherited permissions. This is presumably for backwards-compatibility reasons; the permissions model looked somewhat different in the earliest versions of Windows NT.
Your options are to copy the file instead of moving it, or to explicitly reset the permissions after the file has been moved.
If you want to explicitly reset the permissions, you can do this using File.SetAccessControl. To apply the inherited permissions for the new location, the FileSecurity object should contain an empty ACL and the AreAccessRulesProtected property should be false.

Restricting user access on SFTP server backed by S3

I am trying to create a SFTP server which will be backed by S3. I have already succeeded in installing vsftpd and s3fs, linked them and things are working just fine.
Requirements :
A FTP server will have more than one users, and each other will have different s3 buckets linked to their ftp folder. [done]
Approach : Created two different users (say user1 & user2), and mounted buckets to their home directory.
One user should not be able to view folders and files of other users.
Approach : Since I created two different users, I thought the access will be restricted. But looks like when I mount a bucket using s3fs it changes access of the folder to 777.
Now the issue is, I can't restrict my users to access files of other users.
My /etc/vsftpd.conf looks like this :-
ftpd_banner=Welcome to Dave's FTP service.
# Now restrict users to their home directories:
chroot_local_user=YES
allow_writeable_chroot=YES
I have seen and tried issues like this, this and this. These didn't help, so please think again before marking it as duplicate
You need to create mount directory inside the user directory like /home/user1/mountToS3 and then restrict that directory using chmod and chown. This should do. Let me know if you find any issue. :)

Deny access to a specific folder for a sudo user

I have a question: I am root in an Ubuntu system. I want to give a user (say username is X) permission to execute any command but at the same time I have a folder that I want no one to be able to access except my user (which is certainly not X because it is say Admin) or root. Any suggestions? Thanks!
If a user can execute any commands as sudo he can also become root whenever he wants. That's why there is not a chance to protect a directory from browsing by such a user unless you restrict the list of commands the user can execute with sudo.
One idea could be to put the folder on a separate partition which is encrypted with a password. The user would need to decrypt the partition before he could mount that folder.

localhost on a Mac, mySQL Root, write enabling folders, and migrating to a real server

I'm developing a site on an XAMPP localhost on a Mac. I manipulate my mySQL database via phpMyAdmin (not comfortable with the command line).
Everything works fine (I know, right!).
2 things have got me worried for when I eventually move my site to a real online live server.
First the background:
1) I am using a CMS/Framework type thing. When trying to install it (in the htdocs folder), I found that I needed to write-enable some folder or the other (FileSystem permissions in Finder). So I write-enabled all the folders contained in the mother folder. Mac's have 3 default types of users (right-click a folder in Finder and choose info). They are "Me", "admin" and "everyone". I right-clicked the mother folder (in Finder), selected "Read&Write" for all 3 types of users, and chose "Apply to enclosed items." And the installation worked out fine.
2) I am able to come and go as I please into phpMyAdmin to directly manipulate my database. I presume phpMyAdmin recognizes me as Root. I do not have a password for Root. I do have a separate user created with a password (let's call the user "specificdbuser") and I use "specificdbuser" to connect to the database from within my site's PHP code.
My concerns regarding 1 & 2 are:
1) I'm presuming that enabling Read&Write permissions for all 3 types of users, and in particular for all folders and items within the mother folder, is a security risk. Is there a better way? (a) How do I figure out which folders need to be writeable so that I only make those writeable instead of making everything writeable?, and (b) Instead of giving Read&Write permissions to the 3 default Mac user types, should I instead be creating some new type of user (Root? specificdbuser?) and only give that user permission to Read&Write permissions? As this is a website, do I need to give "everyone" permission to Read&Write? What the heck does "everyone" mean anyway?
2) Let's say I eventually set up my database's Root account with a password. When I eventually migrate my localhost site to a real live online server, will this Root / password combination work on that site too?
I'm kind of confused, are you talking about FileSystem permissions or MySQL Database permission? If it is a FileSystem question, then please check the web service user that runs your PHP scripts. If it's a database permission, then please refer to #2 answer.
I would say, for security reason never use the "root" when connecting to your database. I would suggest you setup the same user name/password/permissions on your local and in server. But if that doesn't make sense you can have a config file that says if "localhost" then db_user = blah_blah, else if server side db_user = blah.

Resources