Improved security for Mascot Installations under Linux
In the manual, we recommend (because it is easiest) that ms-monitor.exe is run as root. However, a more secure arrangement is to run ms-monitor.exe as a less privileged user.
By default, Apache cgi processes run as www-data:www-data, and for most distros, this is set in the envvars file:
export APACHE_RUN_USER=www-data export APACHE_RUN_GROUP=www-data
This can however, be overriden in the /etc/apache2/apache2.conf file:
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
For this article, we will assume that your system has the default configuration.
The directories that need to be written to by the apache cgi process (i.e. www-data:www-data) are:
- mascot/config/*
- mascot/data (and subdirectories)
- mascot/logs/*
- mascot/sequence (if you use database manager)
- mascot/sessions/*
- mascot/taxonomy
- mascot/unigene
In addition, ms-monitor.exe needs to be able to write to all the above files and directories. For example, when ms-monitor.exe finds a new database to bring on-line, it runs a test search. This means it needs to create a file in mascot/data/test and it may need to create the mascot/data/yyyymmdd directory if it doesn’t exist and it will need to add files to that directory. A potential problem occurs if ms-monitor.exe creates a subdirectory under mascot/data and the cgi process cannot then write to that directory. In addition to the above, ms-monitor.exe also needs to write to:
- mascot/bin/monitor.pid
A more secure arrangement is to run ms-monitor.exe as a user that also belongs to www-data and to make directories writeable by this group, and use setgid to control file permissions.
To do this, there are two settings in the options section of mascot.dat that will need to be changed, or added if they are not present:
UnixDirPermThis specifies, in octal, the Linux permissions that will be set for the ‘daily’ result file directories created. The default is 777. For example, 775 makes each directory world readable but not writeable. If you set this to 2770, then the directories will not be world readable, and the setgid bit will be set so that all new files created in the directory will have the same group as the parent directory
UnixWebUserGroupThis entry, if present, will be used to set the group id of directories created by Mascot. If it is set to -1 (the default) then no group will be set. The value should be the number of the group rather than the name. Group numbers can be found in the /etc/group file.
Example:
Create a user, ‘mascot’ that belongs to www-data and possibly other group(s) such as users. www-data does not need to be the primary group. The id for the www-data on the system is ’33′.
ms-monitor.exe is run as ‘mascot’
In the options section of mascot.dat:
UnixDirPerm 2770 UnixWebUserGroup 33
You will need to chown all the mascot directories as:
mascot:www-data
You will also need to set the permissions on the top level directories:
drwxr-s--- mascot www-data bin drwxr-s--- mascot www-data cgi drwxr-s--- mascot www-data cluster drwxrws--- mascot www-data config drwxrws mascot www-data data drwxr-s--- mascot www-data htdig drwxr-s--- mascot www-data html drwxrws--- mascot www-data logs drwxrws--- mascot www-data sequence drwxrws--- mascot www-data sessions drwxrws--- mascot www-data taxonomy drwxrws--- mascot www-data unigene drwxr-s--- mascot www-data x-cgiYou can do this with the commands:
chmod o-w,o-r,o-x,g+s,g+r,g-w * chmod g+w config/ data/ sequence/ sessions/ taxonomy/ unigene/And then set the files in the config, logs and sessions directories to be writeable by the group:
chmod -R g+w config/ logs/ sessions/
And finally, if you are using Database Manager you may need to use ACLs so that newly created directories have the correct permissions. If you get a write error in Database Manager saying that a file or directory cannot be created, then set the ACL for the sequence directory:
root@X:/usr/local/mascot# setfacl -dm g:www-data:w sequence/Before doing this, check that your system supports ACLs. You will also need to manually add write access for the group to the database that failed. This step will not be required in Mascot 2.6 and later.
Following these instructions will give you a more secure server.