LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 09-10-2006, 01:40 PM   #1
bluefusionx
Member
 
Registered: Nov 2004
Location: Maryville, Tennessee
Distribution: Ubuntu "Dapper Drake"
Posts: 38

Rep: Reputation: 15
Keeping Users in their Home Directory


Okay, I am going to be hosting people on my server. The thing is, I don't want people to read my configuration files to find out my MySQL passwords, nor do I want people seeing the files of other people.

How would I accomplish this? I already tried chmodding my config files to 700, but now I get a PHP error: Permission denied.

What should I do? I was considering a jail shell, but would it still work with Apache's user directories mod?
 
Old 09-10-2006, 03:17 PM   #2
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
This is a long running problem in Unix and it was inherited by Linux due to the fact that Linux works like Unix. Here are a couple of possibilities that you can try. I've been playing with these things myself. Nothing that I have tried worked completely.

1) You can put the users in a chroot jail PLUS use the rbash restricted bash shell. Note that a chroot jail by itself it not enough. However, the rbash shell by itself MAY be enough.

2) This is exactly the kind of thing that SELinux was invented to address. You could look into that.

3) Novell SuSE has AppArmor. It is intended to replace SELinux and it is intended to be easier to configure.

4) Bastille Linux is another attempt to secure a Linux environment.

Both SELinux and Bastille Linux are add-ons. You don't have to change distributions to use them. You add them on to the distribution that you are currently using.

Unix and Linux advocates don't like to think about the issues that you raised. They like to think that Unix and Linux are secure. Well, Unix and Linux are not secure if you have a valid user account. As you pointed out, too much system information is visible to the normal user account. I've been trying to "secure" Unix and Linux for over ten years. These efforts always break things and fail to achieve the security intended.

Last edited by stress_junkie; 09-10-2006 at 03:26 PM.
 
Old 09-10-2006, 04:40 PM   #3
chadl
Member
 
Registered: Sep 2005
Location: US
Distribution: Gentoo AMD64 Testing
Posts: 129

Rep: Reputation: 16
When you chmod your config file to 700, you need to make sure that the file is owned by the user that php is running as. Under a well configured system, that user is not root. So, if the config file is owned by root, and 700, and php is not running as root, it will be unable to read that configuration file (as is the point of file security).
In almost all cases, the user running PHP is the same as the user that the web server is running as (apache is a common choice for many configurations).

On the systems I run, I have not had a problem with the users reading most files, I just protect the files that have passwords in them (very few), and then the directories that I have mysql dump it's backups to, etc. In most cases a user knowing the configuration of the server is of little harm; and it is very hard to keep an expert from finding them anyway.

If you do not want users to know your php configuration, then you will also need to lock-down php. As a simple page with phpinfo(); in it will make a web-page that lists all of PHP's settings.

Last edited by chadl; 09-10-2006 at 04:46 PM.
 
Old 09-15-2006, 05:42 PM   #4
bluefusionx
Member
 
Registered: Nov 2004
Location: Maryville, Tennessee
Distribution: Ubuntu "Dapper Drake"
Posts: 38

Original Poster
Rep: Reputation: 15
Allright, so what should I do to allow the webserver user account to have access to everyone's files? Could I place it in the group of root? I would also like to put a password in it, so obviously no one can gain unauthorized access. Of course there's that passthru command. I'll need to disable it. But how would I add a password to httpd.conf? I just saw a user and a group defined.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Users can only see home directory bluenix Linux - General 20 03-12-2005 08:51 AM
SSHD - keeping users in their own directory whitetiger0990 Linux - Software 3 01-02-2005 05:50 PM
chroot or keeping users to /home techrolla Linux - Security 9 06-22-2004 05:18 AM
multi users on the same home directory rpinatel Linux - General 2 09-05-2003 11:55 AM
2 users, 1 mailbox and 1 home directory keevitaja Linux - Newbie 3 08-15-2002 08:20 PM


All times are GMT -5. The time now is 09:19 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration