LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 06-29-2004, 07:03 AM   #1
jeffpoulsen
Member
 
Registered: Sep 2002
Posts: 46

Rep: Reputation: 15
serving website from inside chroot "Permissions"


I have recently set up my server using a chrooted sshd daemon. It works well. I use scp to upload files to the server. Now I have to serve from a directory from within the chroot so I can administer it remotely. Since I just copied the files from the old server I have had to chown most of the files in other parts of the file storage folders to allow remote storage. I have now set up a /www folder to serve webpages from and it works. But I need to change ownership of these folders as I now cannot upload files. Currently the permissions are 644 with root the owner and group. I have the following questions:

(1) Who should own these files? I do not login as root but as another user.
(2) What should the permissions be?
(3) Is this a security risk?

I am not sure about the security of the chroot if files belong to root. And if there are links to files outside of the chroot. I do not want to set up ftp for several reasons one being a limit on the number of nat'd ports on the firewalls. Thanks, all help is greatly appreciated.
 
Old 07-01-2004, 02:55 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,679
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
Currently the permissions are 644 with root the owner and group. (...) (1) Who should own these files?
If it's user changable files, a lesser-privileged one. If you've got userdirs within the chroot you could chown files to them, if you're using a webserver like Apache, you've possibly got an inert Apache account, so you could chown files to that or the nobody account. Permissions should be sufficient enough for the server to serve and the users to change.


(3) Is this a security risk?
Depends on what files you mean and who needs to be able to change em.


I am not sure about the security of the chroot if files belong to root.
Executables, config files (files you don't want to be edited by non-privileged users) are usually owned by root. That's no problem. What can be a problem is allowing stuff in the chroot that is not supposed to be there. The fact the files reside within a chroot can only be counted as "mitigating circumstances" when the jail is sealed. No linking outside, no mount binds, no mounted /proc, minimal /dev/, no setuid root binaries, not allowing people to create devices or setuid root binaries.


If unsure about chrooting, check out the LQ FAQ: Security references.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to tell "find" to not search inside hidden folders? robo555 Linux - General 8 08-08-2011 07:30 AM
Take all posts from "Website Suggestions & Feedback" out of the "0 Reply Thread&q t3gah LQ Suggestions & Feedback 7 03-21-2005 08:27 PM
perhaps a separate forum for X/KDE/Gnome/etc. inside "Linux - Software"? sether LQ Suggestions & Feedback 2 09-27-2004 03:52 PM
How can I "see" a computer inside my LAN from outside - i.e. from the internet? Thoddy Linux - Networking 6 01-28-2004 09:19 AM
Problem with "Jail Chroot Project 1.9" Agento- Linux - General 2 01-19-2003 08:52 AM


All times are GMT -5. The time now is 11:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration