LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
LinkBack Search this Thread
Old 04-09-2007, 10:23 AM   #1
flamingvan
LQ Newbie
 
Registered: Oct 2006
Posts: 22

Rep: Reputation: 15
Question Web files: is 775 safe?


I've always read that Web files should be set to 755, but if I want them to be editable in a group context is it safe to set them as 775? Is that just not done or what?
 
Old 04-09-2007, 10:42 AM   #2
RobertP
Member
 
Registered: Jan 2004
Location: Manitoba, Canada
Distribution: Debian
Posts: 451

Rep: Reputation: 32
Quote:
Originally Posted by flamingvan
I've always read that Web files should be set to 755, but if I want them to be editable in a group context is it safe to set them as 775? Is that just not done or what?
There are many levels and layers to security. If you are on a private network and the stuff is not served to the web 775 is much safer than PHP scripts exposed to the web. If your group is scattered on the web, a very hostile environment, you cannot have too much security. Using only the file permissions is rather weak. Adding to that having your group who need to write specially authenticated via OpenSSH would be much better. For example, you could have your special group able to edit/change stuff by logging in via SSH but having the general population using read-only web access. If your group needs to use the same scripts as the general population, they could use a different server or port. Backups are necessary but slow to apply. Better is to have a server with a backup ready to go that can take over in case another server is compromised.

As usual, there are trade-offs. How valuable is your stuff and your service? How many strangers visit your site?
 
Old 04-09-2007, 11:25 AM   #3
flamingvan
LQ Newbie
 
Registered: Oct 2006
Posts: 22

Original Poster
Rep: Reputation: 15
Thanks for your reply!

We are serving to the World Wide Web and we need to upload files via FTP. Our Web editors are Macromedia Dreamweaver and Contribute users. Any further advice for how to handle the situation? Thanks again.
 
Old 04-09-2007, 12:05 PM   #4
RobertP
Member
 
Registered: Jan 2004
Location: Manitoba, Canada
Distribution: Debian
Posts: 451

Rep: Reputation: 32
Quote:
Originally Posted by flamingvan
We are serving to the World Wide Web and we need to upload files via FTP. Our Web editors are Macromedia Dreamweaver and Contribute users. Any further advice for how to handle the situation? Thanks again.
If your editors are using that other OS, that is more difficult. I would normally recommend scp instead of ftp. Perhaps putty would do the same. Whatever security you put on your server and network, that other OS may let in malware to compromise things on the editors' machines. I would recommend setting up your firewall on the server to block ssh except from the editors' machines. See iptables mac parameter. Text communication among the editors should be encrypted as well so keys can be changed as needed.

Depending on the autonomy and size of your editorial staff, you could put them all on a virtual private network VPN. see OpenSwan see www.openswan.org/
 
Old 04-09-2007, 12:47 PM   #5
flamingvan
LQ Newbie
 
Registered: Oct 2006
Posts: 22

Original Poster
Rep: Reputation: 15
I don't think SCP or Putty is going to work because our editors are non-techies and they will be working in Dreamweaver and Contribute. Do you think it would be a mistake to chmod to 775?
 
Old 04-09-2007, 12:50 PM   #6
flamingvan
LQ Newbie
 
Registered: Oct 2006
Posts: 22

Original Poster
Rep: Reputation: 15
I think I see what you're saying. It would be safer to have everyone on VPN and not have to use FTP. But what if FTP is unavoidable? How should I handle making files group editable? Thanks!
 
Old 04-09-2007, 02:21 PM   #7
RobertP
Member
 
Registered: Jan 2004
Location: Manitoba, Canada
Distribution: Debian
Posts: 451

Rep: Reputation: 32
Quote:
Originally Posted by flamingvan
I think I see what you're saying. It would be safer to have everyone on VPN and not have to use FTP. But what if FTP is unavoidable? How should I handle making files group editable? Thanks!
Folks would have to ftp or read the file/edit it and put it back. There is a problem if two try to work on the same file at once. PHPgroupware or some version control system might help. Every feature increases the risk if it is not kept simple. If you must rely on ftp, you could permit uploads to a directory where some manager could check them before committing them to the site. If it has to be automatic the idea of making the writable group the ftpd process would work but is very insecure because ftp is rather old and clunky. FTP has been around longer than malware, I think. Try to find a secure version you can use.

You can also restrict sftp users to using ftp and doing nothing else: How to restrict users to SFTP only instead of SSH. On Debian, you can install openssh-server on the server, but I do not know a client for that other OS.
 
Old 04-10-2007, 10:12 AM   #8
flamingvan
LQ Newbie
 
Registered: Oct 2006
Posts: 22

Original Poster
Rep: Reputation: 15
Thanks again, but

Quote:
If it has to be automatic the idea of making the writable group the ftpd process would work
Thanks. I think this is the answer I've been looking for. But how should I do that?
 
Old 04-10-2007, 11:10 AM   #9
RobertP
Member
 
Registered: Jan 2004
Location: Manitoba, Canada
Distribution: Debian
Posts: 451

Rep: Reputation: 32
Quote:
Originally Posted by flamingvan
Thanks. I think this is the answer I've been looking for. But how should I do that?
ps aux|grep ftpd (on the server)

The beginning of the line is the ftpd user.
groups ftpuser (lists the groups to which the ftpuser belongs)

groups particularuser
usermod -G comma,separated,list,of,groups user

e.g. suppose your ftpd server is running as ftp:ftp user:group.

You could make the files in question writable by members of ftp group by
chown -R owneruser:ftp directory
chmod -R u+rwx,g+rwX,o+rw directory

As always, do a small test before reconfiguring your whole setup. You could make this more fine-grained by having several groups of users.
e.g. projectAusers,projectBusers, etc.

Only you know the structure of your site. You should read the fine manual such as ProFTPD Userguide

You can do things like make parts of the system public for reading only, have individual users able to read and write their private files, and have groups of users given equal access to files owned by their group. You may be iterested in some GUI configuration tools. See package search on Debian
 
Old 04-11-2007, 06:13 AM   #10
flamingvan
LQ Newbie
 
Registered: Oct 2006
Posts: 22

Original Poster
Rep: Reputation: 15
Thanks! I'll try it and let you know what happens.
 
Old 04-11-2007, 11:58 AM   #11
flamingvan
LQ Newbie
 
Registered: Oct 2006
Posts: 22

Original Poster
Rep: Reputation: 15
RobertP, you're suggesting that I set directory permissions to 775, right? What about new files that get created by default? Do you recommend that I set the umask value so they will be 775 by default?
 
Old 04-11-2007, 12:39 PM   #12
RobertP
Member
 
Registered: Jan 2004
Location: Manitoba, Canada
Distribution: Debian
Posts: 451

Rep: Reputation: 32
Quote:
Originally Posted by flamingvan
RobertP, you're suggesting that I set directory permissions to 775, right? What about new files that get created by default? Do you recommend that I set the umask value so they will be 775 by default?
That should work. The problem is that all the stuff and passwords, too are sent in the clear over the web. This is the insecure part. Folks may be able to learn how to get into your system and do bad things. I urge you to try using sftp or scp for your work. It is just as easy. You set up sshd on your system and the others use putty or scp to transfer stuff. The keys are then exchanged in encrypted form. That is much safer. see OpenSSH manuals
You can even save users the bother of typing passwords if you can distribute keys in a secure way (gpg, for instance).
 
Old 04-12-2007, 08:18 AM   #13
flamingvan
LQ Newbie
 
Registered: Oct 2006
Posts: 22

Original Poster
Rep: Reputation: 15
I've been using FTP for 15 years and I've never had a problem, but I'm sure you're. I'll work on getting SFTP up. Better safe than sorry.
 
Old 04-12-2007, 10:03 AM   #14
RobertP
Member
 
Registered: Jan 2004
Location: Manitoba, Canada
Distribution: Debian
Posts: 451

Rep: Reputation: 32
Quote:
Originally Posted by flamingvan
I've been using FTP for 15 years and I've never had a problem, but I'm sure you're. I'll work on getting SFTP up. Better safe than sorry.
The choices we make about security depend on the value of what is protected. If it is just some silly fun stuff, you probably do not mind if the world sees it. However, I have seen servers on the web get knocked on every minute or so all day long, so I know there are folks out there looking for trouble. With ftp, they could change or delete something, or put in an executable, have it phone home and take over your machine just like the horror stories we hear from the world of Windows. There is no point in having a system if unwanted users take up all its resources. You need to limit what users can do with ftp and who can do it. If the intruder can discover your users ids and perhaps their passwords, they can do anything your normal users can do. Be careful. You trust your normal users, most likely, but an intruder could pretend to be one.

With OpenSSH, there is an extra layer of protection to keep the intruders out. I think it is well worth a bit of effort to use it. The OpenSWAN stuff and similar projects make it very easy for users and still keeps the others out. I use OpenSSH even within my own LAN for managing machines all over the building. It works mostly the same way to trusted machines on the web. If you have a small number of trusted machines on the web, it is not much effort to have your firewall block connections from others. It is not paranoia if they are out to get you...
 
Old 04-13-2007, 08:16 AM   #15
flamingvan
LQ Newbie
 
Registered: Oct 2006
Posts: 22

Original Poster
Rep: Reputation: 15
I agree. My home server has been compromised in the past. What a drag...

Thanks for all your help. I set permissions to 775 and that has resolved the problem. I'll work on SFTP and/or look into openswan.
 
  


Reply

Tags
configuration, ftp, security, server


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
safe with redhat FC5 for web access only ed_homeLinux Linux - Security 2 06-22-2006 07:47 PM
safe way to backup files? hank43 Linux - Software 2 04-10-2006 06:30 AM
LXer: Born-again VRML makes the Web safe for 3D LXer Syndicated Linux News 0 12-26-2005 04:31 PM
M$, O'Rilley .chm files what sw is safe reader suguru Linux - Software 2 12-18-2005 11:15 PM
is reiserfsck --rebuild-tree safe for the HDD files? Necronomicom Slackware 1 06-21-2004 12:17 AM


All times are GMT -5. The time now is 04:44 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration