LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-29-2005, 06:55 AM   #1
Garp
Member
 
Registered: Jul 2003
Location: Oahu, Hawaii, USA
Distribution: Ubuntu, Debian, RHES
Posts: 57

Rep: Reputation: 15
chmod rights over ftp/telnet


I'm a little baffled at the moment. We have a Red Hat Enterprise Linux 4 box which ultimately will be replacing our win32 apache box to host our intranet pages, and probably internet too (we're merging with an organisation that has theirs hosted externally.. no one has worked out which way we're going yet with that )

I'm not too hot on locking up the box, but got the redhat firewall running restricting services, and our hardware firewall locks down the incoming traffic onto site. On site I can telnet to the box to admin it where needed, but externally only have ftp access. Root cannot login over ftp, but can over telnet which is fine as far as I'm aware?
Two user accounts have been made, one for myself and one for the boss so that we can ftp into the server and upload any new webcontent, both of which exist in a webteam group. Apache has its own user account and group.
Following advice in an Apache2 book on how to secure it under linux, I've run "chmod -R 2570 *" from the root of the htdocs folder, and "chown -R httpd.webteam", so that apache can read and execute but not modify files, and in theory both mine and my boss's accounts can read/write/execute all files. We've tested this and both of us can upload, delete and modify files over ftp or through telnet. However, neither of us can "chmod" any files over ftp which we'd like to do where possible. Obviously I'd rather not have root enabled for ftp access!

An example file having run "ls -l":
-r-xrws--- 1 httpd webteam 13671152 Jul 1 14:34 moodle-latest-15.tgz

I know I'm possibly missing something obvious, can anyone advise me on what I've messed up ?

Last edited by Garp; 07-29-2005 at 06:59 AM.
 
Old 07-29-2005, 09:47 AM   #2
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
Re: chmod rights over ftp/telnet

first, why do u use telnet? it is unsecure. u should prefer ssh. it is secure and also u can transfer files via ssh (scp).

i dont know what ftp server do u use. but all them must have an option for file create mode. so the files should be able to created with that rights. take a look at the config file of your ftp server.

good luck.
 
Old 07-29-2005, 04:32 PM   #3
Garp
Member
 
Registered: Jul 2003
Location: Oahu, Hawaii, USA
Distribution: Ubuntu, Debian, RHES
Posts: 57

Original Poster
Rep: Reputation: 15
Re: Re: chmod rights over ftp/telnet

Quote:
Originally posted by maxut
first, why do u use telnet? it is unsecure. u should prefer ssh. it is secure and also u can transfer files via ssh (scp).

i dont know what ftp server do u use. but all them must have an option for file create mode. so the files should be able to created with that rights. take a look at the config file of your ftp server.

good luck.
You know what.. I've got no idea why I said telnet?! I'm using SSH (Putty to be precise..) Doh!

Its definately a user rights thing, we can create files, not chmod them which we need to do.
I can log in to a console screen and face exactly the same thing, can't change file rights that I have full rights to as part of the webteam group.

Last edited by Garp; 07-29-2005 at 04:33 PM.
 
Old 07-29-2005, 05:52 PM   #4
demian
Member
 
Registered: Apr 2001
Location: Bremen, Germany
Distribution: Debian
Posts: 303

Rep: Reputation: 30
Only the owner (httpd in this case) and root can change a file's permission
 
Old 07-30-2005, 09:45 AM   #5
aqoliveira
Member
 
Registered: Dec 2001
Location: Portugal
Distribution: /Red Hat/Fedora/Solaris
Posts: 620

Rep: Reputation: 30
Howzit

U have to set the stick bit permisson on the group permission so that when any user access a common directory for everybody they are able to creat a file and it gives them all the same user and group perms for everbody. Sticky bit perms look like this drwxrwsr_x as u can see the s represents the srticky bit when it is active.

Read more on the following site http://www.geocities.com/tipsforlinux/articles/028.html

cheers
 
Old 08-01-2005, 05:15 AM   #6
Garp
Member
 
Registered: Jul 2003
Location: Oahu, Hawaii, USA
Distribution: Ubuntu, Debian, RHES
Posts: 57

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by demian
Only the owner (httpd in this case) and root can change a file's permission
There's no way to make that apply by group?

Is there another way I can allow specified users chmod rights without compromising security?

Quote:
Originally posted by aqoliveira
Howzit

U have to set the stick bit permisson on the group permission so that when any user access a common directory for everybody they are able to creat a file and it gives them all the same user and group perms for everbody. Sticky bit perms look like this drwxrwsr_x as u can see the s represents the srticky bit when it is active.

Read more on the following site http://www.geocities.com/tipsforlinux/articles/028.html

cheers
Does that only apply to new files added after the event? Would only that individual user and root be able to then change permissions later on down the line? So if, say, my boss uploaded a new file and gave it the wrong file rights, I'd have to use root to put them right (or get him to change them himself)
 
Old 08-01-2005, 01:26 PM   #7
aqoliveira
Member
 
Registered: Dec 2001
Location: Portugal
Distribution: /Red Hat/Fedora/Solaris
Posts: 620

Rep: Reputation: 30
Howzit

U have two ways in doing this:

1. U can create a group and then set the sticky bit so that everyone that belongs that group will have the same permissons when creating a file not sure if u will be able to change the perms for each individual. e.g drwxrwsr_x "chmod 1775 xyz"

2. Creating a directory then set the sticky bit to the directory where everyone that creates a file in that directory remains the owner and then he is able to change the perms and allow other people to ready and edit that file. e.g drwxrwsrwt "chmod 2755 xyz"

Hope this helps

cheers
 
Old 08-03-2005, 04:16 AM   #8
Garp
Member
 
Registered: Jul 2003
Location: Oahu, Hawaii, USA
Distribution: Ubuntu, Debian, RHES
Posts: 57

Original Poster
Rep: Reputation: 15
Sorry to be a pain, I still can't resolve this.

I tried your suggestion in option 1, in a testing area. I created the folder whilst logged in as root, and then chowned it the same way as the htdocs and subfolders are:

drwxrwxr-t 2 httpd webteam 4096 Aug 3 09:34 testfolder

Nice t mark showing sticky bit

I then logged in with my account, which is part of the webteam, and was able to upload and chmod files I'd put there. When I got my boss to log in, who's account is also part of the webteam group, he wasn't able to chmod the file.

Am I just barking up the wrong tree here, asking the impossible?

Last edited by Garp; 08-03-2005 at 04:17 AM.
 
Old 08-03-2005, 07:58 AM   #9
aqoliveira
Member
 
Registered: Dec 2001
Location: Portugal
Distribution: /Red Hat/Fedora/Solaris
Posts: 620

Rep: Reputation: 30
Howzit

This is what s wrong with your setup if u use 1755 for example this will allow a user to creat files in that directory and keep his original permissions e,.g

- create directory /tmp/tony where tony is the common area for everyone
- set permissions chmod 1755 /tmp/test
- permissions look like this drwxr_xr_t for test
- when users creat their files in this directory then perms they originally had remain the same (e.g user name tony group tony)
- cd /tmp/test
- touch test1 ( create a empty file)
- ls -la
- test will look like this rw_rw_r_ tony tony test1

if u use 2755 this will allow u to have a common area where the group name always set to the one u specify no matter what the group name was for the original user

- create directory /tmp/tony where tony is the common area for everyone
- set permissions chmod 2775 /tmp/test1
- permissions look like this drwxrwsr_x for test1
- when users creates their files in this directory then perms they recieve is the one set originally by the local directory but this is only true for the group as the user perms remain the same for the user that created it (e.g user name tony group tony)
- cd /tmp/test1
- original perms for the test1 directory is root:test1
- touch test2 ( create a empty file)
- ls -la
- test will look like this rw_rw_r_ tony test1 test2

In both cases u are able to change the perms

This
 
Old 08-04-2005, 06:20 AM   #10
Garp
Member
 
Registered: Jul 2003
Location: Oahu, Hawaii, USA
Distribution: Ubuntu, Debian, RHES
Posts: 57

Original Poster
Rep: Reputation: 15
This doesn't fix anything.. sure the default group for any files created in the folder is now webteam, but still only the file creator can change its CHMOD rights, no matter what permissions are set on the folder, be it 2775, 1775, 7775, or anything, I just keep coming back to "chmod: changing permissions of `test1': Operation not permitted"

I guess I'm just going to have to create a common login account for myself and the boss, otherwise we're never going to be able to administer the website.

Last edited by Garp; 08-04-2005 at 06:24 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Chmod rights and folder access fieldyweb Linux - General 3 08-24-2005 04:12 AM
user rights for ftp and telnet kerozzy Other *NIX 5 08-18-2005 08:46 PM
Assign CHMOD Rights To Mapped Windows Folder, GaneshParam Linux - Security 0 08-03-2005 05:09 AM
Lost Execution rights of "chmod" arkus Linux - General 2 10-05-2004 09:58 AM
Giving a user CHMOD rights to the /var/www/html directory? scubes13 Linux - Networking 3 08-18-2002 03:38 PM


All times are GMT -5. The time now is 03:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration