Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am running Fedora Core 3. This is my first time posting a question here. i have installed apache2/php5/mysql5. I guess I was hoping someone could give me a basic rundown of permissions. I am going to have one site on the system. I made a group of users called ftp-users. i want the ftp users to have permissions to write files via ftp to the DocumentRoot (/var/www/html) directory. But I don't want to compromise security on my DocumentRoot for web server stuff. What should my permissions on the DocumentRoot be? Maybe I should ask this. If you were to set up an apache server to serve one site, what would your permissions be on the DocumentRoot for maximum security and still allow php scripts to run? Would it be easier for me to set permissions if i did use a folder within the DocumentRoot to store my html and php files in? Any help would be greatly appreciated. Thanks.
Yeah, you can create a directory called cgi-bin somewhere under your document root and put all your php scripts in this directory. There are directives you can set in your config file that will enable execution of these scripts for that directory. This way, you dont have rogue php scripts all over the place.
If you're running with apache/apache as the user/group, then you can chmod your scripts to 700 or 755... really as long as you don't use a 7 in the second or third digit, you're probably ok.
If you start adding user accounts to your system and adding more websites in the future, then you should think about running with suexec and maybe tighten up the permissions a little more.
okay, so what would be the best permissions for the documentroot itself? don't mean to ask dumb questions. but whenever i change permissions on the document root, it seems i cannot create folders and stuff with dreamweaver, via ftp connection, in the document root.
okay, so i change the premissions to 755 for the documentroot. now the ftp users cannot make directories in there with dreamweaver. so now under the document root i should create another folder to house my php pages and stuff? and give the group i want to allow write access ownership of that directory? and modify those permissions accordingly while leaving the docroot 755? like i said, i don't mean to be a pest, but want to make sure i learn this so in the future i don't have to post here about it again.
It's OK to make all of the subdirectories under your document root chmod 755. I assume the problem you are having is... each FTP user is logging in as a different username. The directories you have under your document root are probably owned by the "apache" user and since they only allow write access to the owner, the FTP users are not allowed to write into these directories.
One solution is to make all of your FTP users logging in as the same User account and then chown everything under your document root to that user.
Another solution is to have all of your FTP users part of the same group and then give all your directories write access for the group. So you'd use chmod 775 instead for all your folders. This means your security is getting more relaxed.
The other solution is to have everyone logging in as the apache user, which isn't very good either, but I can see no other way of doing it.
I'd be careful anyway about allowing a whole bunch of users to login to the same website. Remember the old saying... Too many cooks spoil the broth. Its easy for them to walk all over each other when 2 (or more!) users are logged in at the same time and manipulating files.
yeah, i checked and noticed my reply didn't get posted. yeah i had that problem and pulled my head out and thought about it and figured it out about the time i got your reply. anyway thanks man. it is for development so i think i will do the 775, then secure it up when the app is finished. thanks again for getting back to me so fast. that was awesome bro.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.