Securing $HOME and public_html on Ubuntu server 14.04 running Apache2 + userdir

Question

I am running Apache2 + userdir on Ubuntu Server 14.04. Users are authenticated against AD and can successfully login to this server via SSH. Each user $HOME has 700 permissions to disallow users to change and read other users files.

Directory /home/public_html is owned by Apache (www-data:www-data) and has permission 775 so each user (members of group www-data) can create his own subdirectory in /home/public_html under his/her username and create symbolic link to it in his/her $HOME. Here is an example for a sample user with username jdoe43:

• /home/Domain/jdoe43 is a $HOME directory (it has permission 700)
• /home/public_html/jdoe43 is a public_html directory of user jdoe43 which is symbolically linked to /home/Domain/jdoe43/public_html

UserDir directive is set to /home/public_html. The rest of userdir.conf is default to Ubuntu installation and is listed below for reference:

<IfModule mod_userdir.c>
   UserDir /home/public_html
   UserDir disabled root
   <Directory /home/public_html/*>
      AllowOverride FileInfo AuthConfig Limit Indexes
      Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
      <Limit GET POST OPTIONS>
         Require all granted
      </Limit>
      <LimitExcept GET POST OPTIONS>
         Require all denied
      </LimitExcept>
   </Directory>
</IfModule>

I'm looking forward to find proper set of permissions to allow

• Apache process to access files in /home/public_html/*
• Users to have full control over their own public_html directories

and at the same time to disallow

• a user to see/modify content of another user's $HOME directory
• a user to see/modify content of another user's public_html directory located in /home/public_html/

All that I tried with different set of permissions ended up either with Apache not to have access to users' public_html or with users to have at least read access to other users' $HOME or public_html.

I found several posts proposing to use selinux and configure file system to deny access to other users' directories by means of permissions (like I did with $HOME by setting it to 700) and at the same time to grant Apache process (by means of selinux) to access /home/public_html along with all its sub-directories. I also found some resources stating that selinux in recent versions of Ubuntu was replaced in favor of apparmor, so, as I have limited experience in this technology, I decided to postpone any movements towards its implementation.

Any suggestions/recommendations are highly appreciated. Thank you.

Answer 1

There might be a selinux boolean that let you do such thing relatively painlessly.

The ubuntu wiki sends you to the debian SELinux page which confirms that they use the same refpolicies as other distributions (of course). I just checked the policy for apache and the boolean is there. If you already have a selinux-enabled ubuntu you can easily check whether the boolean is enabled with

getsebool httpd_enable_homedirs

and check if the boolean true or false (it defaults to false).

As shown here, after enabling UserDir you need to enable the boolean

setsebool -P httpd_enable_homedirs true

And relabel the directories for each user

chcon -R -t httpd_sys_content_t /home/testuser/public_html

Note that unix permissions on the public_html directory are still 755 or whatever you need for your user/groups setup.

chown testuser:testuser /home/testuser/public_html
chmod 755 /home/testuser/public_html

If you wish to go the SELinux way that is what you need to do; I don't know much about AppArmor and other alternatives but as you say the Ubuntu wiki is not very clear about selinux support.

If you have some spare time I'd suggest to try it out on a test VM and see how it goes.

Hope this helps!