LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-19-2012, 12:52 PM   #1
Vinnipuh
LQ Newbie
 
Registered: Aug 2012
Posts: 2

Rep: Reputation: Disabled
On what way will files acess permission change affect non-root (apache, ftp) users.


The question is...
I have a system on Debian (stable). And I have to create some users.
Well... the file acess rights nearly on all files are 755. This means that all created users will have the ability to VIEW nearly all files that are in system. Having no possibility to make any changes to them, thus the possibility to view them means the opportunity to collect the whole information that is stored.

I can change the permissions on /bin /sbin /etc (and other sys-dirs) so that all other users will have no acess to them.

And the question is - will it affect the functionality of other system-specific users such as 'apahe', 'ftp', 'mysql', etc., and if will - then in what way will affect.

Last edited by Vinnipuh; 08-19-2012 at 12:53 PM.
 
Old 08-20-2012, 07:24 AM   #2
redfox2807
Member
 
Registered: Jul 2012
Distribution: Debian testing/stable, Sailfish OS, Android
Posts: 119

Rep: Reputation: 16
Well, I'm not sure I've completely understood the question, just to clear things up. If there's nothing new to you just disregard the message.
Every file (in Linux everything is a file, including directories) has 3 types of permissions (or whatever that's called):
'owner', 'group', and 'other'. The 'owner' stands for the only user account that owns that file. If you change the owner, the previous owner instantly looses access to that file (obviously if he doesn't have the access through 'group' or 'other'). The 'group' stands for a group = a list of users. Definitely you can add or remove users to any group and changing 'group' permissions for a file will affect any user from the group. Finally the 'other' stands for everybody else. Concerning the system-specific users they are nothing different from regular users. So any change performed for those users will have exactly the same effect.
 
Old 08-20-2012, 09:00 AM   #3
Vinnipuh
LQ Newbie
 
Registered: Aug 2012
Posts: 2

Original Poster
Rep: Reputation: Disabled
More clear is this:
I go to the /etc dir. Nearly every file in it has 755 permissions.
So any regular user can VIEW file contents. Copy it. Analyze it. Everything exept editing.

I want to change the permissions of the files in it dir to 750.
So Only User and Group will have access to view/execute the files. And regular users even will not see any files in this dir.
But!!! The system users such as 'apache', 'mysql', 'ftp' vill also loose the view acess to that files.

So the question is - will the file permission change from 755 to 750 to the /etc dir (for example) affect the system-users as mentioned earlier? And will it effect the system functionality?
 
Old 08-20-2012, 09:21 AM   #4
redfox2807
Member
 
Registered: Jul 2012
Distribution: Debian testing/stable, Sailfish OS, Android
Posts: 119

Rep: Reputation: 16
Yes, it will. That's what groups are for. You should add to the group all the system users and remove everybody who you don't want to be able to have the access to. Still regular users have to have access to some files in /etc. Not sure if they can be off without it though.
 
Old 08-20-2012, 09:30 AM   #5
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
How do those other users access the system? If that is remotely, you can jail the users to their home directory with reasonable ease.
 
Old 08-20-2012, 09:44 AM   #6
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,362

Rep: Reputation: 2004Reputation: 2004Reputation: 2004Reputation: 2004Reputation: 2004Reputation: 2004Reputation: 2004Reputation: 2004Reputation: 2004Reputation: 2004Reputation: 2004
Quote:
Originally Posted by Vinnipuh View Post
I can change the permissions on /bin /sbin /etc (and other sys-dirs) so that all other users will have no acess to them.
You can't do that. All users MUST have access to the programs in /bin or they won't even be able to log into the machine. Just do an ls in /bin and see what programs you would be denying them access to...these are critical system functions.

A chroot jail would be the best way to restrict those users to only the files/directories that are required.
 
Old 08-20-2012, 11:26 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Quote:
Originally Posted by Vinnipuh View Post
I go to the /etc dir. Nearly every file in it has 755 permissions.
Then somebody fscked up.
/etc holds mostly global resource and configuration files, the password database and system initialization and helper scripts.
0755 for directories OK but files, no, they shouldn't have that, at most 0644, except for the user and group shadow files which should have 0400 or 0600 or init or helper scripts which should have 0755.
Again: these are not the original file access permissions.
If you altered access permissions then change them back before doing anything else.

Last edited by unSpawn; 08-20-2012 at 11:31 AM. Reason: //Add exception, don't state the obvious
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Ftp Client error in centos and where to change the umask for ftp users? SarahGurung Linux - Newbie 10 03-20-2012 05:54 AM
How can i change the permission of root files or looked files ? ubuser Linux - Newbie 3 10-26-2010 08:06 PM
Check to see which users have root level acess harsh5235 Linux - Newbie 2 05-21-2008 07:40 PM
If i change my apache port 80 to another port, can this affect google listings? Doomhammer Linux - Networking 4 03-16-2007 09:41 AM
Root denied permission to remove users' files suse_buse Linux - Security 2 10-25-2006 09:26 AM


All times are GMT -5. The time now is 03:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration