LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 10-05-2008, 03:46 AM   #1
algogeek
Member
 
Registered: Apr 2008
Distribution: Fedora 9, Ubuntu 8.04, Ubuntu 8.04 Server
Posts: 103

Rep: Reputation: 15
Exclamation File permissions on an Ubuntu Server.


Hey all,

This is a weird problem I'm facing on my Ubuntu 8.04 server configured on my network. It seems like the file permissions are not working. Every user on the machine is being given access to all the files. For example, I created an 'Unprivileged' user and I logged in via ssh. I could cat all the files contained under /var/www/ and /etc/ which is really unwanted.

Why is this happening? Whats wrong here? What can be done to overcome this issue?
 
Old 10-05-2008, 03:52 AM   #2
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
Show ls -l output on the files. Show the user id of the running user (id command).
 
Old 10-05-2008, 03:57 AM   #3
algogeek
Member
 
Registered: Apr 2008
Distribution: Fedora 9, Ubuntu 8.04, Ubuntu 8.04 Server
Posts: 103

Original Poster
Rep: Reputation: 15
Code:
asheshambasta@india:~$ id
uid=1003(asheshambasta) gid=1003(asheshambasta) groups=4(adm),20(dialout),21(fax),24(cdrom),25(floppy),26(tape),29(audio),30(dip),44(video),46(plugdev),105(scanner),107(fuse),1003(asheshambasta)
Code:
asheshambasta@india:/$ ls -l
total 88
drwxr-xr-x   2 root root  4096 2008-09-28 21:44 bin
drwxr-xr-x   3 root root  4096 2008-09-28 21:45 boot
lrwxrwxrwx   1 root root    11 2008-09-27 16:05 cdrom -> media/cdrom
drwxr-xr-x  13 root root 14380 2008-10-05 14:08 dev
drwxr-xr-x 114 root root  4096 2008-10-05 14:23 etc
drwxr-xr-x   5 root root  4096 2008-10-05 13:56 home
drwxrwxrwx   4 root root  4096 2008-09-29 20:57 indiashare
drwxr-xr-x   2 root root  4096 2008-09-27 16:05 initrd
lrwxrwxrwx   1 root root    32 2008-09-27 16:07 initrd.img -> boot/initrd.img-2.6.24-19-server
drwxr-xr-x  15 root root 12288 2008-09-28 21:44 lib
drwx------   2 root root 16384 2008-09-27 16:04 lost+found
drwxr-xr-x   4 root root  4096 2008-10-05 11:03 media
drwxr-xr-x   4 root root  4096 2008-10-05 13:50 mnt
drwxr-xr-x   2 root root  4096 2008-09-27 16:05 opt
dr-xr-xr-x 159 root root     0 2008-10-05 11:00 proc
drwxr-xr-x  13 root root  4096 2008-10-05 14:08 root
drwxr-xr-x   2 root root  4096 2008-09-28 21:44 sbin
drwxr-xr-x   2 root root  4096 2008-09-27 16:05 srv
drwxr-xr-x  12 root root     0 2008-10-05 11:00 sys
drwxrwxrwt  15 root root  4096 2008-10-05 14:08 tmp
drwxr-xr-x  11 root root  4096 2008-09-27 21:11 usr
drwxr-xr-x  14 root root  4096 2008-09-27 16:37 var
lrwxrwxrwx   1 root root    29 2008-09-27 16:07 vmlinuz -> boot/vmlinuz-2.6.24-19-server
And as an example, the apache folder:

Code:
asheshambasta@india:/$ ls -l /etc/apache2/
total 44
-rw-r--r-- 1 root root 10620 2008-09-29 15:13 apache2.conf
drwxr-xr-x 2 root root  4096 2008-09-29 15:27 conf.d
-rw-r--r-- 1 root root   378 2008-06-25 19:19 envvars
-rw-r--r-- 1 root root   927 2008-10-01 14:50 httpd.conf
drwxr-xr-x 2 root root  4096 2008-09-28 21:45 mods-available
drwxr-xr-x 2 root root  4096 2008-09-27 16:38 mods-enabled
-rw-r--r-- 1 root root    59 2008-06-25 19:19 ports.conf
drwxr-xr-x 2 root root  4096 2008-09-27 23:40 sites-available
drwxr-xr-x 2 root root  4096 2008-09-27 23:40 sites-enabled
I'm confused. Is this the setting by default? (Highly unlikely)

Another question, if I do chmod -R a+rwX /someDirectory, does it change the permissions recursively of the contents within the directory being operated on, or recursively outside? I've always believed the former to be true.

Last edited by algogeek; 10-05-2008 at 04:01 AM.
 
Old 10-05-2008, 04:08 AM   #4
algogeek
Member
 
Registered: Apr 2008
Distribution: Fedora 9, Ubuntu 8.04, Ubuntu 8.04 Server
Posts: 103

Original Poster
Rep: Reputation: 15
Another interesting observation: using sftp, I can only browse the restricted folders, eg. /etc/apache2/ but cannot display the file contents. However, I can ssh to the same machine under the same non administrative username, and cat the files and see them.
 
Old 10-05-2008, 04:38 AM   #5
algogeek
Member
 
Registered: Apr 2008
Distribution: Fedora 9, Ubuntu 8.04, Ubuntu 8.04 Server
Posts: 103

Original Poster
Rep: Reputation: 15
Can anyone please respond? I need to get this server back up soon.
 
Old 10-05-2008, 05:07 AM   #6
algogeek
Member
 
Registered: Apr 2008
Distribution: Fedora 9, Ubuntu 8.04, Ubuntu 8.04 Server
Posts: 103

Original Poster
Rep: Reputation: 15
Ok. I now see that this is common to all Ubuntu systems, my laptop behaved the same way. So, I'd like to create a new group for the network users who have to ssh to this machine, and then deny that group from accessing system directories.

Anyone knows how to do that?
 
Old 10-05-2008, 12:26 PM   #7
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
There is no security risk in anyone being able to read standard system files.
Only files that contain confidential information, or user-personal files, require tighter security.
 
Old 10-05-2008, 12:40 PM   #8
algogeek
Member
 
Registered: Apr 2008
Distribution: Fedora 9, Ubuntu 8.04, Ubuntu 8.04 Server
Posts: 103

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Mr. C. View Post
There is no security risk in anyone being able to read standard system files.
Only files that contain confidential information, or user-personal files, require tighter security.
I'm not to sure about that. I have my phpMyAdmin running on this machine and I certainly will not want users to go to its directory and read the .htaccess and .htpasswd files and then access my SQL server.

I found out that my laptop also allowed such access even by unprivileged users. My laptop is also running Ubuntu 8.04.
 
Old 10-05-2008, 12:52 PM   #9
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 574

Rep: Reputation: 58
Man check what user your apache server is running and chown the web files with that user and then chmod go-rwx /you/web/dir/, then basic users in the system cant do anything, but if they already know the directory structure they still could run a php script and run something like readfile("/i/know/where/the/file/is"). Also you could implement suPHP so that might help with the security.

Also a lot of files in Debian are visible to the normal users. In CentOS its a bit different, even on Suse, for example on Suse normal users cant even run crontab (not talking about openSuse, I am talking about SLES).
 
Old 10-05-2008, 12:55 PM   #10
richardfranks
LQ Newbie
 
Registered: May 2005
Location: England
Posts: 10

Rep: Reputation: 0
Quote:
Originally Posted by algogeek View Post
Ok. I now see that this is common to all Ubuntu systems, my laptop behaved the same way. So, I'd like to create a new group for the network users who have to ssh to this machine, and then deny that group from accessing system directories.

Anyone knows how to do that?

the way to get around the phpmyadmin problem is to enable the cookie authentication in phpmyadmin. This is safer anyway, becuase it means that if your web server was compromised, they dont have access to your SQL user info.

Denying access is a problem, because you need to ensure that your apache server still has sufficient access privileges to run your sites
 
Old 10-05-2008, 12:58 PM   #11
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
Quote:
Originally Posted by algogeek View Post
I'm not to sure about that. I have my phpMyAdmin running on this machine and I certainly will not want users to go to its directory and read the .htaccess and .htpasswd files and then access my SQL server.
That's OK, I'm sure enough for the both of us. ;-)

The .htaccess and .htpasswd files would fall under what I termed "confidential information, or user-personal files".
 
Old 10-05-2008, 01:55 PM   #12
paulsm4
Guru
 
Registered: Mar 2004
Distribution: SusE 8.2
Posts: 5,863
Blog Entries: 1

Rep: Reputation: Disabled
Hi, algogeek -

Files like .htaccess should definitely be "chmod 644". Universal read access is OK (arguably necessary); the important thing is to restrict web access (e.g. http and/or ftp access).

Here are a couple of links:
http://www.petefreitag.com/item/505.cfm
http://www.itc.virginia.edu/unixsys/sec/

This site has a lot of great examples:
http://perishablepress.com/press/200...access-tricks/

And finally, this site has some good background info you might find useful:
http://www.psychocats.net/ubuntu/permissions

'Hope that helps .. PSM
 
Old 06-29-2009, 03:11 AM   #13
DiGiGoth
LQ Newbie
 
Registered: Sep 2006
Posts: 17

Rep: Reputation: 0
that is not a problem on ur ubuntu

What you're experiencing is very ordinary !

look at ur post with "ls -l"
all file have read permission set for everyone !
thats why u can read all files by "cat"

u can not edit these files though !

if u want the files unaccessable by other users u should remove the read permission off the desired files/folders

which means u wont use chown, u will have to use chmod
 
  


Reply

Tags
file, permission, server, ubuntu


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help required in configuring local file permissions with samba on ubuntu 8.04 avinash.rao Ubuntu 2 09-13-2008 03:48 AM
file permissions for snare in ubuntu HelpMe2877 Linux - Newbie 1 09-10-2008 01:10 AM
Problem setting umask and default file permissions on ubuntu 7.04 server with xfs a2brute Linux - Server 1 05-22-2008 04:57 AM
Windows file permissions with a Linux file server joseph_k Linux - Server 3 05-09-2008 12:54 PM
file permissions unreadable - ubuntu edgy 6.10 pwrlftr220 Linux - Software 2 10-25-2006 05:48 AM


All times are GMT -5. The time now is 03:25 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration