Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 06-29-2004, 06:03 AM   #1
Registered: Sep 2002
Posts: 46

Rep: Reputation: 15
serving website from inside chroot "Permissions"

I have recently set up my server using a chrooted sshd daemon. It works well. I use scp to upload files to the server. Now I have to serve from a directory from within the chroot so I can administer it remotely. Since I just copied the files from the old server I have had to chown most of the files in other parts of the file storage folders to allow remote storage. I have now set up a /www folder to serve webpages from and it works. But I need to change ownership of these folders as I now cannot upload files. Currently the permissions are 644 with root the owner and group. I have the following questions:

(1) Who should own these files? I do not login as root but as another user.
(2) What should the permissions be?
(3) Is this a security risk?

I am not sure about the security of the chroot if files belong to root. And if there are links to files outside of the chroot. I do not want to set up ftp for several reasons one being a limit on the number of nat'd ports on the firewalls. Thanks, all help is greatly appreciated.
Old 07-01-2004, 01:55 PM   #2
Registered: May 2001
Posts: 29,353
Blog Entries: 55

Rep: Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541
Currently the permissions are 644 with root the owner and group. (...) (1) Who should own these files?
If it's user changable files, a lesser-privileged one. If you've got userdirs within the chroot you could chown files to them, if you're using a webserver like Apache, you've possibly got an inert Apache account, so you could chown files to that or the nobody account. Permissions should be sufficient enough for the server to serve and the users to change.

(3) Is this a security risk?
Depends on what files you mean and who needs to be able to change em.

I am not sure about the security of the chroot if files belong to root.
Executables, config files (files you don't want to be edited by non-privileged users) are usually owned by root. That's no problem. What can be a problem is allowing stuff in the chroot that is not supposed to be there. The fact the files reside within a chroot can only be counted as "mitigating circumstances" when the jail is sealed. No linking outside, no mount binds, no mounted /proc, minimal /dev/, no setuid root binaries, not allowing people to create devices or setuid root binaries.

If unsure about chrooting, check out the LQ FAQ: Security references.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to tell "find" to not search inside hidden folders? robo555 Linux - General 8 08-08-2011 06:30 AM
Take all posts from "Website Suggestions & Feedback" out of the "0 Reply Thread&q t3gah LQ Suggestions & Feedback 7 03-21-2005 07:27 PM
perhaps a separate forum for X/KDE/Gnome/etc. inside "Linux - Software"? sether LQ Suggestions & Feedback 2 09-27-2004 02:52 PM
How can I "see" a computer inside my LAN from outside - i.e. from the internet? Thoddy Linux - Networking 6 01-28-2004 08:19 AM
Problem with "Jail Chroot Project 1.9" Agento- Linux - General 2 01-19-2003 07:52 AM

All times are GMT -5. The time now is 01:04 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration