Syncronization of access right between lighttpd and system

Question

Hello! We are in the middle of designing a web server application which runs on an existing Linux system. We are using the lighttpd server, and have now ran into some security issues. For various reasons we have chosen Lua to develop our application. Since we have existing users that logs in to the machine using ssh, we would like the users logging in via the web interface to use the same access levels, user names and passwords. Preferably, the users performing actions (they are accessing various configuration files on the system) should have the access rights to the files handled by the OS rather than the web server. What are the suggestions here?

Thanks in advance!

Answer 1

Your problem is that you can't change the user under which the server runs when a human user logs in. Therefore, you can't use OS level security to control file access as long as you stay in the context of the server's process.

You can put all users and the web server in a group and use umask 002 to make sure all members of the group can access all files. In your LUA code, you need to check that the current user is the owner of the file and refuse the operation otherwise.

If a new file must be created, then you need a SUID program that can change the owner of the file from "webserver" to "user".

Alternatively, you can create a SUID program that can change it's UID and which accepts commands from the webserver. When a user logs in, you start the program with the UID of the user and then tell it which files to access.