LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-02-2004, 07:57 PM   #1
clarence1720
LQ Newbie
 
Registered: Oct 2004
Location: Denver
Distribution: Red Hat 9.0
Posts: 29

Rep: Reputation: 15
Protecting a directory with chmod, owner, groups, others


Okay, here is the background.
I have 2 users.......user 1 = gelt..........user 2 = redwolf.



User redwolf is in group redwolf.
User redwolf's home directory is in /home/redwolf.
User redwolf is a standard user, simply logs in and does simple stuff


User gelt is in group gelt
User gelt's home directory is /gelttech.com
User gelt logs in and uploads the pages for www.gelttech.com, which is located in /gelttech.com/html/



Here is the situation. I need to have the directory gelttech.com only viewable by user gelt, and whatever process are needed to read and display gelttech.com located in /gelttech.com/html/


I have added apache to the group gelt and then issued the following command.


[root@server-rig /]# chmod 770 gelttech.com


After doing this, I get the Apache test page, and not the simple index.html page that I created. I then issue this command.


[root@server-rig /]# chmod 771 gelttech.com


After doing this, www.gelttech.com loads to the simple index.html page that I created. There is a problem with 771, redwolf can now delv into the /gelttech.com directory, where as with 770, redwolf gets access denied when trying to go into the /gelttech.com directory.


WHAT do I need to do in order to keep redwolf out of /gelttech.com and yet still be able to have the page load properly and the user gelt upload any changes to gelttech.com?
 
Old 10-02-2004, 08:21 PM   #2
Boudewijn
Member
 
Registered: Nov 2003
Location: The Netherlands
Distribution: MDK: 10,10.1,10_amd64,9.2,9.1 . Debian: sarge,woody, Gentoo (X86 amd64 Sparc)
Posts: 219

Rep: Reputation: 30
try a chmod XXX * -R

the -R is for recursive ;-)
 
Old 10-03-2004, 01:18 AM   #3
clarence1720
LQ Newbie
 
Registered: Oct 2004
Location: Denver
Distribution: Red Hat 9.0
Posts: 29

Original Poster
Rep: Reputation: 15
I tried this command:

chmod 770 gelttech.com -R

and got the apache test page. I tried 771 and got this:
-------------------------------------------------------
Access forbidden!

You don't have permission to access the requested object. It is either read-protected or not readable by the server.

If you think this is a server error, please contact the webmaster

Error 403
----------------------------------------------------

The only one that will allow the correct access to /gelttech.com/html/index.html is:

chmod 775 gelttech.com -R

Is there any anything else that I need to add to the gelt group besides the apache user?
 
Old 10-22-2004, 07:16 PM   #4
thegnu
Member
 
Registered: May 2004
Location: St. Petersburg, FL USA
Distribution: Arch Linux, Fedora Core 3
Posts: 51

Rep: Reputation: 15
chmod sets the mode of the files in 4 columns. if anything is left off, it is perceived by chmod as a leading zero.
column 1 is the sticky bit
column 2 is the owner bit
column 3 is the group bit
column 4 is the others bit

The bit values mean:
4 = read
2 = write
1 = execute/VIEW

Add them together for whatever you want.

So in theory 770 should work fine. You don't need anything but a zero on the others bit. if you do ls -l, what comes up as the owning group? users? do:

Code:
chown gelt.gelt -R /gelttech.com
Looky, my home directory:
Code:
drwxr-xr-x  5 thegnu users     144 Oct 17 19:19 Choices
drwxr-xr-x  2 thegnu users      48 Oct 19 08:02 Desktop
drwxr-xr-x  3 thegnu users      72 Oct 19 20:41 bin
-rw-r--r--  1 thegnu users    8771 Oct 18 10:25 rainbow.mid
drwxr-xr-x  4 thegnu users     168 Oct 21 20:15 thun
if thegnu is part of thegnu group, and apache is part of thegnu group, can apache listen to the beauteous somewhere over the rainbow midi file? I think not. The users group owns it.

What I think is happening is that apache is part of the gelt group, but the gelt group doesn't own the folder. If this doesn't work, post the results of
Code:
ls -al /gelttech.com

Last edited by thegnu; 10-22-2004 at 07:20 PM.
 
Old 10-22-2004, 09:17 PM   #5
clarence1720
LQ Newbie
 
Registered: Oct 2004
Location: Denver
Distribution: Red Hat 9.0
Posts: 29

Original Poster
Rep: Reputation: 15
I figured it out

I figured it out.


I set the owner to be apache and gave him full permissions and I set the group to be the group that contains the user that I want to have access and give them full permissions. Then I set other to 0. This worked great. Apache could get in and load up the page. The user could get in and make changes. Other users could not get into the directory unless they were part of the group.


Thanks =)

Lance Elmshaeuser
 
Old 10-23-2004, 12:39 AM   #6
mipia
Member
 
Registered: May 2003
Location: lake michigan
Distribution: Debian, Mint, Slackware
Posts: 457

Rep: Reputation: 35
welcome to the wonderful world of system administration
 
Old 10-26-2004, 05:39 AM   #7
TaTaE
LQ Newbie
 
Registered: Sep 2004
Distribution: Fedora Core 2 on Pentium III 700Mhz
Posts: 6

Rep: Reputation: 0
protecting directories

I was wondering how to select only files /or only directories when i do a "chmod"
Because chmod 744 -R * made all my files executables, and i did that only to be able to enter my directories.

I'd really need that solved.
 
Old 11-05-2004, 10:25 AM   #8
thegnu
Member
 
Registered: May 2004
Location: St. Petersburg, FL USA
Distribution: Arch Linux, Fedora Core 3
Posts: 51

Rep: Reputation: 15
Re: protecting directories

Quote:
Originally posted by TaTaE
I was wondering how to select only files /or only directories when i do a "chmod"
Because chmod 744 -R * made all my files executables, and i did that only to be able to enter my directories.

I'd really need that solved.
Lifted from a post by digiot:

Quote:
Code:
find -type f -exec chmod 664 {} \;
-- (From the top of the directories you want to recursively change - not from / or anything. )
will only chmod the files 664. So now that you can see inside your directories, run this to chmod the files to whatever value you want.
 
Old 11-05-2004, 01:51 PM   #9
peacebwitchu
Member
 
Registered: Apr 2004
Distribution: Debian
Posts: 185

Rep: Reputation: 30
One big problem with this scenario. You have just blown apache's and linux security out of the water and taken it down to the windows level. Apache is run with a non privledged user just to keep things like this from happening. If a hacker or exploit comes out the apache process can now delete all of your files that are owned by apache. This is a bad idea. It is never recommended to have the apache process own any files.
 
Old 11-05-2004, 03:36 PM   #10
looseCannon
Member
 
Registered: Dec 2003
Location: Little Rock, AR
Distribution: Fedora Core 2, AIX, HP-UX, Solaris, Whitebox
Posts: 193

Rep: Reputation: 31
[B}Shameless Plug[/B]

I've run into this kind of thing several times before. To get around the scenario of having to make recursive changes in ownership and permissions I wrote a perl script to handle it all for me. Works real well.

The script will ask you for the starting point, who to set the owner and group to, and what permissions you want on the directories. By default it will make the permissions of all the files 0664 (you can change this in the script).

The script is freely available at http://barrelofmonkeys.sytes.net/scripts/scripts.php

It is called chdirperm.pl

Last edited by looseCannon; 11-05-2004 at 03:37 PM.
 
Old 11-05-2004, 09:06 PM   #11
clarence1720
LQ Newbie
 
Registered: Oct 2004
Location: Denver
Distribution: Red Hat 9.0
Posts: 29

Original Poster
Rep: Reputation: 15
Apache is still a non privelaged user....no password...no home directory. No one can login as user apache. In "theory" it still should be secure....right????
 
Old 11-05-2004, 09:18 PM   #12
peacebwitchu
Member
 
Registered: Apr 2004
Distribution: Debian
Posts: 185

Rep: Reputation: 30
In theory. Assuming you never have a bad script, Apache never has a vulnerability etc....
 
Old 11-06-2004, 02:33 AM   #13
TaTaE
LQ Newbie
 
Registered: Sep 2004
Distribution: Fedora Core 2 on Pentium III 700Mhz
Posts: 6

Rep: Reputation: 0
Thumbs up files and directories permissions

thanks for the scripts. i'll check them out as i run fedora core. hope they'll run
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Question about owner and groups being displayed as numbers nukey Slackware 5 09-21-2005 10:47 AM
Changing owner of a directory recursively? fturcic Linux - General 2 02-01-2005 08:13 AM
Password protecting a directory? How? Thrifty Linux - Security 7 07-20-2004 09:25 PM
owner and groups Clemente Linux - Newbie 1 09-12-2003 01:06 PM
Protecting a directory with mod_auth_db tomlow Linux - Security 12 02-13-2003 01:46 AM


All times are GMT -5. The time now is 08:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration