Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
i am running debian-sarge.
i am using it to virtually host a few websites. One of them, i just installed
joomla on ( a content management system ) the ownership of the directory was given to user billy, but the installation needed to be able to write to some files in the web_root directory (owned by billy) and the user www-data that apaceh runs under would gimme a no-go. Now i changed the ownership of the web_root to www-data and it installed fine, but now billy will not be able to edit his content from ftp, or ssh or whatever now. So what do i do to overcome this. Do i add www-data to the billy group, or do i add billy to the www-data group ?. I did a chmod 755 on the directory, was this a mistake ?
sorry to sound a bit paranoid or pannicked, but i am a bit paranoid about it.
There are many alternatives, but here are my suggestions:
Since the joomla system is only used on one (or some) of your hosted sites, it should never have full access to the web-root (=the root directory of all sites), since it would then have the possibility to change/erase the contents of the other sites. It may have full access to the root directory of the sites that you use it for, however. You should look into the Apache and/or Joomla configuration for how to set this up properly.
I would also recommend using permissions like "770" or "2770", not "755", and creating only one group (not "billy" AND "www-data"). The name of that group is relatively unimportant.
The root directory of the Joomla websites would then be owned by that group and get those permissions, making the directory be fully accessible by both your "www-data" and "billy" users. Non-joomla sites would be owned by a different group, to which "billy" does not belong.
ok, so far, i have all the web roots under the directory /var/www
each directory of somesites has a web_root directory that is the web root
somesite1 web-root = /var/www/somesite1/web_root
billy has his home directory as /var/www/somesite1
so when he uses vsftpd he can upload his files. The problem i was having was that once billy uploaded files, they became unwritable by www-data.
so according to your advice, do somesite1, somesite2, and somesite3 have different owners than the user names and www-data.
So, somesite1 uses Joomla, and the other sites don't, right?
I don't really see why billy's home directory has to be /var/www/somesite1. What if you want to start using Joomla on another site as well?
The FTP permissions are a completely different story and should be addressed separately as well.
There are many ways to allow uploads to the directory /var/www/somesite1 for a specific user, besides creating a "real" user with his home directory on /var/www/somesite1. In my opinion, your FTP setup is not ideal for you and should be tweaked further.
To address the file permissions issue:
When billy uploads files, they are owned by him and get default permissions, which may or may not include group access (depending on the "umask" settings, for instance).
A "chmod 2770" of the directory could help, as this forces group ownership for newly created files/directories.
However, "billy" could still remove this group access, since he owns the files/directories.
You could then make "www-data" part of that group to give the "www-data" user full access as well.
So, in short, the real problem is the ownership by the "real" user "billy".
The question you need to ask yourself is this: does the user really need to create/delete files by using Joomla (ie via the website)? Or only modify existing files? (regardless of the file upload via FTP)
In the latter case, "billy" should not own any directory or file, only get write access on the files via the group permissions (+read-only access on directories) and the FTP configuration needs to be changed.
The first case requires an entirely different approach.