sgid bit security

Question

I work in a shared web development environment. My team frequently creates new files and folders on the server, but they always need to change group permissions afterward.

For default permissions on new files, I set umask 002 in the bashrc. BUT for default permissions on new directories:

$ sudo chmod g+s /var/www

New directories within /var/www now display as:

drwxrwsr-x 2 user www-data 4096 2010-10-14 08:49 test

Now, this setup works correctly, i.e. new files and directories are group-writable by default. Are there any security issues to using sgid in this setup? Being extra cautious because I don't fully understand setuid risks.

Answer 1

My understanding of your setup is that every file created will be with permissions 0775. You set the SGID (Set Group ID) bit to the /var/www directory which will force any file/directory created inside it to inherit the existing group owner rather than the owner creating it. As for the SUID (Set User ID) bit it doesn't seem like you're using it unless I've mistaken your description.

I'm assuming you have every user part of the 'www-data' group (default Apache group) and that's what's making everything run smoothly now.

The security risks I see is that now Apache (part of 'www-data' group) has full access to every file under your web root folder. If you happen to have a public script with a security hole, or Apache is somehow compromised, your entire /var/www folder (at least) is at it's mercy.

Instead I would create a separate group (say 'developers') and make your team a part of that. Change the group owner of your /var/www folder to 'developers' and leave Apache with the default access ('r-x' for directories, 'r--' for files) and selectively assign higher permission only where you need to (cache, uploads, etc).

Hope this helps, it's my first response/answer, and way past my bedtime :)