Posted by David Creasy (July 18, 2016)

Improved security for Mascot Installations under Linux

In the manual, we recommend (because it is easiest) that ms-monitor.exe is run as root. However, a more secure arrangement is to run ms-monitor.exe as a less privileged user.

By default, Apache cgi processes run as www-data:www-data, and for most distros, this is set in the envvars file:

export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data 

This can however, be overriden in the /etc/apache2/apache2.conf file:

User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

For this article, we will assume that your system has the default configuration.

The directories that need to be written to by the apache cgi process (i.e. www-data:www-data) are:

  • mascot/config/*
  • mascot/data (and subdirectories)
  • mascot/logs/*
  • mascot/sequence (if you use database manager)
  • mascot/sessions/*
  • mascot/taxonomy
  • mascot/unigene

In addition, ms-monitor.exe needs to be able to write to all the above files and directories. For example, when ms-monitor.exe finds a new database to bring on-line, it runs a test search. This means it needs to create a file in mascot/data/test and it may need to create the mascot/data/yyyymmdd directory if it doesn’t exist and it will need to add files to that directory. A potential problem occurs if ms-monitor.exe creates a subdirectory under mascot/data and the cgi process cannot then write to that directory. In addition to the above, ms-monitor.exe also needs to write to:

  • mascot/bin/monitor.pid

A more secure arrangement is to run ms-monitor.exe as a user that also belongs to www-data and to make directories writeable by this group, and use setgid to control file permissions.

To do this, there are two settings in the options section of mascot.dat that will need to be changed, or added if they are not present:

UnixDirPerm
This specifies, in octal, the Linux permissions that will be set for the ‘daily’ result file directories created. The default is 777. For example, 775 makes each directory world readable but not writeable. If you set this to 2770, then the directories will not be world readable, and the setgid bit will be set so that all new files created in the directory will have the same group as the parent directory

UnixWebUserGroup
This entry, if present, will be used to set the group id of directories created by Mascot. If it is set to -1 (the default) then no group will be set. The value should be the number of the group rather than the name. Group numbers can be found in the /etc/group file.

Example:

Create a user, ‘mascot’ that belongs to www-data and possibly other group(s) such as users. www-data does not need to be the primary group. The id for the www-data on the system is ’33′.

ms-monitor.exe is run as ‘mascot’

In the options section of mascot.dat:

UnixDirPerm 2770
UnixWebUserGroup 33 

You will need to chown all the mascot directories as:

mascot:www-data

You will also need to set the permissions on the top level directories:

drwxr-s---   mascot www-data  bin
drwxr-s---   mascot www-data  cgi
drwxr-s---   mascot www-data  cluster
drwxrws---   mascot www-data  config
drwxrws      mascot www-data  data 
drwxr-s---   mascot www-data  htdig
drwxr-s---   mascot www-data  html
drwxrws---   mascot www-data  logs
drwxrws---   mascot www-data  sequence
drwxrws---   mascot www-data  sessions
drwxrws---   mascot www-data  taxonomy
drwxrws---   mascot www-data  unigene
drwxr-s---   mascot www-data  x-cgi 
You can do this with the commands:
chmod o-w,o-r,o-x,g+s,g+r,g-w *
chmod g+w config/ data/ sequence/ sessions/ taxonomy/ unigene/ 
And then set the files in the config, logs and sessions directories to be writeable by the group:
chmod -R g+w config/ logs/ sessions/

And finally, if you are using Database Manager you may need to use ACLs so that newly created directories have the correct permissions. If you get a write error in Database Manager saying that a file or directory cannot be created, then set the ACL for the sequence directory:

root@X:/usr/local/mascot# setfacl -dm g:www-data:w sequence/ 
Before doing this, check that your system supports ACLs. You will also need to manually add write access for the group to the database that failed. This step will not be required in Mascot 2.6 and later.

Following these instructions will give you a more secure server.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

HTML tags are not allowed.