Now that I have SC runniing again I like to have a look at the security.
Especially the permissions.
Can someone help me which user(s)/usergroups should have access to which folders and with what type of access (read/write/exec)
I understand that SC (or Apache?) needs R/W access to the media file directories. (also excute access?). But what is the username for the SC user?
My idea is to create a usergroup "tusers" (trusted users) on my QNAP, add the SC user and other trusted users to this group, and after that change permissions to my media folders like below:
chown -R admin:tuser /mediafolder
chmod -R 770 /mediafolder
Does this make sense?
Some for access to the Swisscenter folders. But which folders should be accessible to which users (probably different for day to day use and for updates?)
Thanks.
Permissions
6 posts
• Page 1 of 1
Permissions
by Dutchsea » Tue Sep 07, 2010 9:44 am
QNAP TS-509 Pro (1.6 MHz, 4 GB, 3.6.1 Build 0302T) – Linux - PHP 5.2.11, MySQL 5.1.36 & Apache 2.2.14 – Swisscenter SVN [1685]
Custom PC (2.8 MHz, 4GB ) – Windows 7 Pro - PHP 5.2.9-1, MySQL 5.1.32 & Simese v2.5.10 - Swisscenter SVN [1685]
Player: Popcorn C200
Custom PC (2.8 MHz, 4GB ) – Windows 7 Pro - PHP 5.2.9-1, MySQL 5.1.32 & Simese v2.5.10 - Swisscenter SVN [1685]
Player: Popcorn C200
-
Dutchsea - Senior Member
- Posts: 379
- Joined: Sun Dec 17, 2006 11:43 am
- Location: Hilversum
- Country:
Re: Permissions
by avgjoemomma » Tue Sep 07, 2010 8:09 pm
I think the biggest thing that will affect the file and directory permissions is the user that you have Apache running as. There are options in Apache to have it run as a different user after starting up as the root user (in QNAP it is the admin user). That should be the user/group that owns permission to the files and directories for SC.
I recommend just going with one user that Apache runs under and owns the files and directories (i.e. /share/Qweb). I'll admit I had to give up the fight for proper Linux security because the QNAP firmware version I have changes the permissions for /share/Qweb and /share/Qmultimedia with every reboot (back to admin). So I ended up running my webserver (lighttpd) as admin:S You might have a newer firmware version that solves this issue though.
I recommend just going with one user that Apache runs under and owns the files and directories (i.e. /share/Qweb). I'll admit I had to give up the fight for proper Linux security because the QNAP firmware version I have changes the permissions for /share/Qweb and /share/Qmultimedia with every reboot (back to admin). So I ended up running my webserver (lighttpd) as admin:S You might have a newer firmware version that solves this issue though.
Player: Popcorn Hour A-110
Router: Linksys-Cisco WRT54GL (DD-WRT) (TCP Vegas enabled)
SC server: QNAP TS-109 II Lighttpd v1.4.23-1 PHP v5.2.11 MySQL v5.0.27-log
NAS Server: QNAP TS-109 II
Router: Linksys-Cisco WRT54GL (DD-WRT) (TCP Vegas enabled)
SC server: QNAP TS-109 II Lighttpd v1.4.23-1 PHP v5.2.11 MySQL v5.0.27-log
NAS Server: QNAP TS-109 II
- avgjoemomma
- Member
- Posts: 114
- Joined: Wed Jan 14, 2009 3:21 pm
- Location: USA
- Country:
Re: Permissions
by Dutchsea » Tue Sep 07, 2010 9:56 pm
Do you know which user is responsible for the updates of SC?
When I used the guest:guest user/group, SC was not properly updated.
But if I use admin:guest I get the error: "root" installs are not supported in the config screen of SC
See also link
Also, to set all media files with a 777 permission seems somewhat unsafe..
When I used the guest:guest user/group, SC was not properly updated.
But if I use admin:guest I get the error: "root" installs are not supported in the config screen of SC
See also link
Also, to set all media files with a 777 permission seems somewhat unsafe..
QNAP TS-509 Pro (1.6 MHz, 4 GB, 3.6.1 Build 0302T) – Linux - PHP 5.2.11, MySQL 5.1.36 & Apache 2.2.14 – Swisscenter SVN [1685]
Custom PC (2.8 MHz, 4GB ) – Windows 7 Pro - PHP 5.2.9-1, MySQL 5.1.32 & Simese v2.5.10 - Swisscenter SVN [1685]
Player: Popcorn C200
Custom PC (2.8 MHz, 4GB ) – Windows 7 Pro - PHP 5.2.9-1, MySQL 5.1.32 & Simese v2.5.10 - Swisscenter SVN [1685]
Player: Popcorn C200
-
Dutchsea - Senior Member
- Posts: 379
- Joined: Sun Dec 17, 2006 11:43 am
- Location: Hilversum
- Country:
Re: Permissions
by avgjoemomma » Tue Sep 07, 2010 11:20 pm
To detail my set up a bit more,
I use lighttpd as my webserver (Apache is too heavy for my old QNAP) and lighttpd is updated much faster in optware so there is no need to wait for a firmware update to fix security issues or other bugs). I run lighttpd as admin:administrators It's not the safest option but I had to give into this due to the chroot jail that QNAP has implemented. I would not suggest going this route if your QNAP can handle Apache well as there are too many workarounds to get things working properly
I'm not sure how QC checks to if it is installed by root. For the initial install I would chown everything by guest:guest ( that is the user Apache should be running as and also the user that would perform the SC update). Permissions should be -rw-rw-r-- )For the media directories, I give Other rwx access to the directories which will allow SC to read the media (/share/Qmultimedia) and also write the image files. The media itself (.avi, etc just needs to be read only for ugo -rw-r--r-- )
I use lighttpd as my webserver (Apache is too heavy for my old QNAP) and lighttpd is updated much faster in optware so there is no need to wait for a firmware update to fix security issues or other bugs). I run lighttpd as admin:administrators It's not the safest option but I had to give into this due to the chroot jail that QNAP has implemented. I would not suggest going this route if your QNAP can handle Apache well as there are too many workarounds to get things working properly
I'm not sure how QC checks to if it is installed by root. For the initial install I would chown everything by guest:guest ( that is the user Apache should be running as and also the user that would perform the SC update). Permissions should be -rw-rw-r-- )For the media directories, I give Other rwx access to the directories which will allow SC to read the media (/share/Qmultimedia) and also write the image files. The media itself (.avi, etc just needs to be read only for ugo -rw-r--r-- )
Player: Popcorn Hour A-110
Router: Linksys-Cisco WRT54GL (DD-WRT) (TCP Vegas enabled)
SC server: QNAP TS-109 II Lighttpd v1.4.23-1 PHP v5.2.11 MySQL v5.0.27-log
NAS Server: QNAP TS-109 II
Router: Linksys-Cisco WRT54GL (DD-WRT) (TCP Vegas enabled)
SC server: QNAP TS-109 II Lighttpd v1.4.23-1 PHP v5.2.11 MySQL v5.0.27-log
NAS Server: QNAP TS-109 II
- avgjoemomma
- Member
- Posts: 114
- Joined: Wed Jan 14, 2009 3:21 pm
- Location: USA
- Country:
Re: Permissions
by Dutchsea » Fri Sep 10, 2010 12:03 pm
OK, I think I get the picture. Most of it is very logical but as I got strange results when trying different permission settings I got confused.
For some details, see here
SC/Apache user seems to be different in my case. Thats probably why the outcome of my changes to permissions failed. When I look at the files created (xml & jpg) by the mediasearch they are all owned by user httpduser [99]
Can I conclude that this is the SC/Apache user? Also, does it make sense to try change this user?
(FYI, the guest account is disabled for all my folders on the QNAP)
No worries, I tried to add lightpd to my Synology in the past => crahed and burnedI would not suggest going this route if your QNAP can handle Apache well
I'm not sure how QC checks to if it is installed by root.
For some details, see here
I would chown everything by guest:guest ( that is the user Apache should be running as and also the user that would perform the SC update).
SC/Apache user seems to be different in my case. Thats probably why the outcome of my changes to permissions failed. When I look at the files created (xml & jpg) by the mediasearch they are all owned by user httpduser [99]
Can I conclude that this is the SC/Apache user? Also, does it make sense to try change this user?
(FYI, the guest account is disabled for all my folders on the QNAP)
QNAP TS-509 Pro (1.6 MHz, 4 GB, 3.6.1 Build 0302T) – Linux - PHP 5.2.11, MySQL 5.1.36 & Apache 2.2.14 – Swisscenter SVN [1685]
Custom PC (2.8 MHz, 4GB ) – Windows 7 Pro - PHP 5.2.9-1, MySQL 5.1.32 & Simese v2.5.10 - Swisscenter SVN [1685]
Player: Popcorn C200
Custom PC (2.8 MHz, 4GB ) – Windows 7 Pro - PHP 5.2.9-1, MySQL 5.1.32 & Simese v2.5.10 - Swisscenter SVN [1685]
Player: Popcorn C200
-
Dutchsea - Senior Member
- Posts: 379
- Joined: Sun Dec 17, 2006 11:43 am
- Location: Hilversum
- Country:
Re: Permissions
by avgjoemomma » Fri Sep 10, 2010 5:43 pm
There you go, try chowning the files by httpduser and hopefully that will do the trick. Now I remember that apache starts up as root but instantly forks to httpduser to perform the actual work for security.
Player: Popcorn Hour A-110
Router: Linksys-Cisco WRT54GL (DD-WRT) (TCP Vegas enabled)
SC server: QNAP TS-109 II Lighttpd v1.4.23-1 PHP v5.2.11 MySQL v5.0.27-log
NAS Server: QNAP TS-109 II
Router: Linksys-Cisco WRT54GL (DD-WRT) (TCP Vegas enabled)
SC server: QNAP TS-109 II Lighttpd v1.4.23-1 PHP v5.2.11 MySQL v5.0.27-log
NAS Server: QNAP TS-109 II
- avgjoemomma
- Member
- Posts: 114
- Joined: Wed Jan 14, 2009 3:21 pm
- Location: USA
- Country:
6 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests