Two new user were created to improve farther the security of epges. Their rights are maximal limited. The application and the web server processes runs under these new users. Because of the limitation of the access rights external users can’t access the system using processes.

Existing users

ep_appl, ep_web, ep_db

All user and file rights remain the same as they are in general.

New users - ePages Run-Users

eprunapp

user to run application server processes

eprunweb

user to run web server processes

The acces rights of these users are limited as much as possible:

  • no login shell for eprunweb

  • file access rights are limited as much as possible (read, write)

eprunapp is part of the groups epages and ep_web, ep_runweb is part of group ep_web.

That grants all necessary rights to read. The files in cartridges, Perl etc.are not owned by the Run-Users. Therefore these users can’t changed the files. Read-Only for the file owner is not necessary.

The environment variables EPAGES_APPUSER and EPAGES_WEBUSER contain the names of the users and are set by patch / installtion in /etc/default/epages6:

  • via Patch in prerequisits.ini

  • via fully installation in install.cfg

Names and user-IDs can be freely chosen for eprunapp und eprunweb. Defaults:

EPAGES_APPUSER=eprunapp
EPAGES_WEBUSER=eprunweb

The former status can be set by defining:

EPAGES_APPUSER=ep_appl
EPAGES_WEBUSER=ep_web

eprunweb

Rights to write are not necessary for eprunweb Apache/logs. The process is started by root.

eprunweb can write into $EPAGES_LOG and $EPAGES_SHARED/Monitor because the group ep_web is allowed to write there.

Necessary Changes

  • change /etc/init.d/epages6 (web server process)

  • httpd.conf: user ep_web is changed to user eprunweb

  • set user eprunweb during the setup

External web server are not affected by these changes.

eprunapp

Beside ep_appl eprunapp is created now. ep_appl is used for starting processes via command prompt furthermore like:

cd $EPAGES_CARTRIDGES/DE_EPAGES
perl Makefile.PL
make reinstall

eprunapp should not used for that.

All access right remain so far except for $EPAGES_SHARED.

$EPAGES_SHARED

eprunapp just has read access within the directories if access right weren’t changed.

  • Config

    chown -R eprunapp ASPool.db DataCache.conf EbayCategories.db
    chmod -R 775 ASPool.db DataCache.conf EbayCategories.db
  • Log

    chown -R eprunapp Log
  • Monitor

    Access rights remain the same.
  • Static, Stores, WebRoot

    chown -R eprunapp Static Stores WebRoot

The processes can take a lot of time on large installations. (Maybe the processes can crash because of inode-caching) Workaround for this:

  1. adduser eprunapp (ID wie ep_appl)

  2. set a new ID for ep_appl

  3. set permissions (but not for Static, Stores, WebRoot)

Necessary changes:

  • change /etc/init.d/epages6 (file access right, application server process)

  • create the User eprunapp during setup

  • change File,pm→SetAccessRights

  • Access rights in patch und full version

Effects on patch process

Patching is quite the same as before. The file access rights will be changed during the patch process. The patch can only performed by root.

Effects on partner cartridges

The change of access rights doesn’t have any influence on partner cartridges.