NFS static files shared for www but folder created by root and 700

[Charlie Root]

Hi,
Firstly, thank for your time to help me.
I have storage stores static files for websites. I am using NFS share on this storage, and on all backend servers, i mounted this nfs share to be read and written by www user.
All files and folders should be written and owner by www user. However, some time there are few folders was created with root user and permission is drwx------ (700), and then www user can not write files to these folders.
I tried to enable auditd for www user but seem auditd doesn't work with nfs. Have you met this issue before, Do you have idea to debug, find this problem?
Thank for your help!
Here is my exports file:

# cat /etc/exports
/path/to/staticfiles -maproot=www 10.x.x.x


 

[Murph]

Firstly, if the files are truly "static files", there should be no reason for them to be owned by or writeable by the www user. If they are all static files, you would gain additional security by mounting the NFS shares read only, so that a problem or compromise on the web server is unable to change them. Even if it is not practical to make the mounts read only, static web content should generally not be writeable (through file permissions) by the http daemon user. The www user should generally only have minimal write permissions, for the things which it actually needs to be able to change. Ownership and write permission should be assigned to the users and groups who actually need to make changes to them. That's in a traditional Unix web serving model; obviously if you use some sort of mechanism to manage the content over HTTP, such as WebDAV, then the web server user may actually need write permission by some means.

As to the problem of finding directories with restricted permissions, find(1) will help you with that. Something like find [I]/path[/I] -type d ! -perm -0555 -ls, find [I]/path[/I] -user root -ls, or find [I]/path[/I] ! -user www -ls should do the trick. It is a quite powerful utility, so those are just some quick examples which might move you in the right direction; reading the man page and experimenting with it is highly recommended. For best results, run it as root on the file server, so that it can see inside the restricted directories and find deeper levels with the same problem. I believe that audit(4) is not currently supported for NFS mounts, although I'm not 100% certain of that.

Lastly, maproot=www is probably not helpful, and may not do what you might have been wanting it to do. The root user gets mapped to nobody by default over NFS, for security reasons, and you are changing that to map it to www. That will not help with the described problem, as it changes the effective user id of a remote root user accessing the export, not the effective rights of the specified target user. In the described situation, root should not be the user trying to access the filesystem.

 

[Charlie Root]

Hi, Thank for your answer.
sorry about "static files", actually i have upload folder and handler by php code, Users upload file and php process ( rename, check files type ..) and then move to static file folder. And by somehow, directory created is owner by root and makes php process error ( permission deny).
Because of quiet big number of files, find command takes much time to find. i used find /path/to/staticfiles -type d -user root
I removed maproot=www because it is not helpful as you recommend. I will wait if issue appears again. Thank for your help.