Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hey guys/gals, first time here and after searching the forums, I didn't quite find the answer I was looking for.
My question is this... I have a small hosting company and we run primarily PHP scripts with Apache and phpSuExec. I have noticed that a lot of clients are FTP'ng files up and not setting the proper permissions (644 for most files and 755 for dirs) and I would like to run a nightly cron script to fix this automatically.
What I want the script to do is scan all /home/xxx/public_html dirs and run the following commands:
Code:
find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541
Rep:
All you really have to is something like this:
Code:
#!/bin/bash
#
# scan for public directories, change mode of all
# files and subdirectories
#
for DIR in $(find /home -type d -name 'public')
do
cd $(DIR)
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;
done
@tronayne.. Thanks! I think I can take it from here. This along with the excellent suggestion on the FTP config, we should be able to lock things down tighter...
@bsd, just checked our pro-ftp server config and our umask is at 133:022 so, that would put files at 644 and directories at 755. Our challenge is users FTP'ing files have their FTP apps to set permissions after upload because we're finding php files set to 755.. ouch..
Don't know about that, you can fix this in a script, but users explicitly changing perms after upload? Sounds fishy to me.
I have a shared hosting acct I can upload to but, I use scp, not ftp, ftp passes passwords in cleartext.
Sounds like you might want to educate your users as well as write a script.
User tronayne's commands will fix the perms if that's the route you have to take for now.
Not so much fishy as ignorant to the consequences.. I have one client in particular who has a noob doing FTP and I constantly find that file permissions are often incorrect after they upload changes which sometimes means they have the wrong file/dir permissions (on upload) set incorrectly.
If you do this you are going to break A LOT OF your user's websites. Most popular content management systems like wordpress, drupal and even vbulletin used on this very site require 777 permissions on certain files and folders. And yes there are millions of websites out there that use these CMS and work just fine. So you are wrong to think that writeable permissions are the cause of your security holes. You need to look into things like php suexec if you want greater security. Again, if you change permissions en masse you will be inundated with support tickets!
I agree that it's *very* bad to go changing file permissions -- what if someone has set up a log file writable by apache? Lots of CMSes require write permission on a directory or file here and there. And, on the other hand, they may want to exclude access from certain files for privacy reasons.
It's not a very bad idea. We have a closed hosting environment (no general hosting) and the server is specifically tuned for Joomla so, apache log files are not being written to the users /home/public_html. Its a standard cPanel environment with quite a bit of extra security software installed.
So, for those needing to FTP files, 644 and 755 for files/dirs is all they need.
Setting all the file and dir permissions on all /home/xxx/public_html accounts is the right thing to do because some of my clients did accidentally set their index.php file to 755 and some robo hacks caught that and pushed up a hack that overwrote just that one file. That's how they got in.
It's not a very bad idea. We have a closed hosting environment (no general hosting) and the server is specifically tuned for Joomla so, apache log files are not being written to the users /home/public_html. Its a standard cPanel environment with quite a bit of extra security software installed.
So, for those needing to FTP files, 644 and 755 for files/dirs is all they need.
Setting all the file and dir permissions on all /home/xxx/public_html accounts is the right thing to do because some of my clients did accidentally set their index.php file to 755 and some robo hacks caught that and pushed up a hack that overwrote just that one file. That's how they got in.
Try uploading something using joomla. Add an image to a page or something. Then you'll see how you screwed up
BTW I can tell you right now what your problem is and it isn't' permissions. It's most likely because you are using an outdated version of joomla. Joomla, like most popular open source CMS, gets targeted by bots a lot so you have to keep it up to date.
Try uploading something using joomla. Add an image to a page or something. Then you'll see how you screwed up
Unless I'm mistaken, suExec will cause apache to run as whatever user owns the website rather than as www-data or apache or nobody or whatever apache usually runs as. This should generally permit a Joomla install to write whatever it needs to.
I still think changing a user's file permissions is a bad idea though.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.