User avatar
liudr
Posts: 685
Joined: Sat Jun 01, 2013 12:11 am
Location: Central MN, USA
Contact: Website

Accounts: www-data vs. pi

Tue Jul 02, 2013 2:31 pm

I installed Apache web server to add a web interface to my camera logger. I wonder how the different accounts and groups will play out in my project. The web server uses www-data:www-data account and the camera logger is under pi:(what group?, pi?). My camera_logger is written in c and has no setuid or setgid in it to affects itself. It opens a few config files (I've set their access to 0666) and saves jpg images (also 0666). The executable and all the config and image files are currently owned by pi and the binary is executed by pi in command line (a daemon). I want to write a cgi program in c to change the camera_logger's config file so when the user submits a web form, the cgi program updates the camera_logger's config file accordingly. The camera_logger monitor the config file and changes its operating parameters when the file changes.

I think my main confusion is accounts and users. If user A owns a binary (0755), and it generates files, then when user B runs the binary, will the files generated belong to user A or B (no setuid or setgid)? The folder that contains the binary and its generated files belongs to A.
Arduino data loggers, user interface, printed circuit board designer since 2009, RPI 3B 2B 2B Zero Jessie, assembly/C/C++/java/python programmer since the 80's

User avatar
jackokring
Posts: 816
Joined: Tue Jul 31, 2012 8:27 am
Location: London, UK
Contact: ICQ

Re: Accounts: www-data vs. pi

Tue Jul 02, 2013 2:36 pm

All files by default are created owned by the user who ran the program. HOWEVER N.B. The directory which contains the files must be writable by the user in order to put a file in it. I think that's about it.
Pi[NFA]=B256R0USB CL4SD8GB Raspbian Stock.
Pi[Work]=A+256 CL4SD8GB Raspbian Stock.
My favourite constant 1.65056745028

User avatar
liudr
Posts: 685
Joined: Sat Jun 01, 2013 12:11 am
Location: Central MN, USA
Contact: Website

Re: Accounts: www-data vs. pi

Tue Jul 02, 2013 3:06 pm

So the folder that stores the image files should be 0777 then? I can do that. This multiuser thing is just not making things easy. I wish there is one mode for RPI to run on root with everything.
Arduino data loggers, user interface, printed circuit board designer since 2009, RPI 3B 2B 2B Zero Jessie, assembly/C/C++/java/python programmer since the 80's

geekinthesticks
Posts: 97
Joined: Fri Feb 08, 2013 7:22 pm

Re: Accounts: www-data vs. pi

Tue Jul 02, 2013 3:26 pm

No you really don't want everything run by root, that's the way to disaster. You could make your program and user members of the www-data group. Just make sure that the group has write permissions in your directory.

User avatar
jackokring
Posts: 816
Joined: Tue Jul 31, 2012 8:27 am
Location: London, UK
Contact: ICQ

Re: Accounts: www-data vs. pi

Tue Jul 02, 2013 3:31 pm

This is why groups were introduced.
Pi[NFA]=B256R0USB CL4SD8GB Raspbian Stock.
Pi[Work]=A+256 CL4SD8GB Raspbian Stock.
My favourite constant 1.65056745028

User avatar
liudr
Posts: 685
Joined: Sat Jun 01, 2013 12:11 am
Location: Central MN, USA
Contact: Website

Re: Accounts: www-data vs. pi

Tue Jul 02, 2013 3:40 pm

geekinthesticks wrote:No you really don't want everything run by root, that's the way to disaster. You could make your program and user members of the www-data group. Just make sure that the group has write permissions in your directory.
I'll do just that. Now about the root, if I need to add the camera_logger (daemon) to init.d I will have to do it with sudo so the camera_logger will run as root anyway. I don't know any way to avoid that. I see users and groups as unnecessary complications to an otherwise simple project. If all you want is to autorun a program you just compiled and occasionally log on to see what happens, why do you need all the groups and such?
Arduino data loggers, user interface, printed circuit board designer since 2009, RPI 3B 2B 2B Zero Jessie, assembly/C/C++/java/python programmer since the 80's

geekinthesticks
Posts: 97
Joined: Fri Feb 08, 2013 7:22 pm

Re: Accounts: www-data vs. pi

Tue Jul 02, 2013 5:07 pm

The normal way would be to get your daemon to output stuff to a log file, usually in /var/log. Groups/permissions/etc are there because Linux/Unix was built from the ground up to be a secure multi user operating system. As such users are normally confined to writing things in their home directory. Groups are there to allow you to assign a whole group of users specific permissions. For example the users group normally allows everyone in that group read, but not write permission.

There is nothing to stop you running everything as root, but at some point you will shoot yourself n the foot, or even worse allow an ordinary user unfettered access to your system. On a standalone Pi that might not matter too much, but for most Linux systems security is strictly enforced. You only have to look at the mess that is Windows to see what chaos is caused by allowing everybody unfettered root access.

User avatar
liudr
Posts: 685
Joined: Sat Jun 01, 2013 12:11 am
Location: Central MN, USA
Contact: Website

Re: Accounts: www-data vs. pi

Tue Jul 02, 2013 8:19 pm

So to conform to some measure of security, how do I solve this problem?

I want a camera logger program on RPI to generate images at adjustable intervals. I want web clients to view latest snapshots and modify camera logger config file via a form to invoke web server cgi calls. There are three users, root that runs my camera logger at boot up as a daemon, www-data, that interacts with cgi program, camera logger config file and reads images, and pi that owns the executable, the config file and the images, because I have not been able to boot the daemon, possibly the daemon boots too soon and TTL USB adapter driver is not in place so the daemon can't find any camera on TTL USB adapters so it quits. I have to log on to pi and start it.

I have not learned web authentication yet so the web interface is open to anyone that knows the address, which is ok for now.

So should I simply put www-data in pi group or do other stuff such as giving ownership of some files such as the cgi program to www-data. I can't give ownership of image files to www-data since it will eventually generated by root from the daemon but they are all generated with umask(0) and access 0666.

I really appreciate your inputs. I'm finding these stuff thick. I have every component working, the camera_logger, the cgi hello world, and the web server.

As for unix is best speech, say that to all politically correct root users. They have too much power and no way of tracking what they are doing. I very much despise the very concept of unix root user as a god, making changes and assigning files to others without a trace or the users knowing their files have been compromised. Windows at least has a mechanism to warn users if a god has taken possession of their files. Tell me how to do that in unix and I will shut up.
Arduino data loggers, user interface, printed circuit board designer since 2009, RPI 3B 2B 2B Zero Jessie, assembly/C/C++/java/python programmer since the 80's

geekinthesticks
Posts: 97
Joined: Fri Feb 08, 2013 7:22 pm

Re: Accounts: www-data vs. pi

Wed Jul 03, 2013 7:47 am

Regarding your startup problem. Have a look at http://www.debian.org/doc/manuals/debia ... nt_example which explains how to create init scripts that run after a particular service is ready. I am using ArcgLinux at the moment, which uses systemd not BSD style init scripts, so am not sure exactly which parameters you need in your script.

If you just want to view your images, being owned by root shouldn't be a problem. Just make sure that they are somewhere under the web document root. If you want to edit your config file from a web page, the simplest mthod woud be just to load it in a web page form with a text box. You can then save it back using http POST. Your config file would need to be somewhere accessible to apache and writable by the apache user.

Authentication is pretty straightforward. Assuming you are using Apache just make sure your root web folder has the AllowOveride all directive set. You can then do authentication by using an .htaccess file in the directory you want to protect. Create your .htaccess file:

Code: Select all

AuthName        "org Files"
AuthType        Digest
AuthUserFile    /etc/httpd/org.passwd
Require         valid-user
Order           allow,deny
Satisfy         any
Do a man htdigest for how to create the password file.

Apache config:

Code: Select all

<Directory />
    Options FollowSymLinks
    AllowOverride All
    Order deny,allow
    Deny from all
</Directory>

Return to “Networking and servers”