On what way will files acess permission change affect non-root (apache, ftp) users.
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
On what way will files acess permission change affect non-root (apache, ftp) users.
The question is...
I have a system on Debian (stable). And I have to create some users.
Well... the file acess rights nearly on all files are 755. This means that all created users will have the ability to VIEW nearly all files that are in system. Having no possibility to make any changes to them, thus the possibility to view them means the opportunity to collect the whole information that is stored.
I can change the permissions on /bin /sbin /etc (and other sys-dirs) so that all other users will have no acess to them.
And the question is - will it affect the functionality of other system-specific users such as 'apahe', 'ftp', 'mysql', etc., and if will - then in what way will affect.
Well, I'm not sure I've completely understood the question, just to clear things up. If there's nothing new to you just disregard the message.
Every file (in Linux everything is a file, including directories) has 3 types of permissions (or whatever that's called):
'owner', 'group', and 'other'. The 'owner' stands for the only user account that owns that file. If you change the owner, the previous owner instantly looses access to that file (obviously if he doesn't have the access through 'group' or 'other'). The 'group' stands for a group = a list of users. Definitely you can add or remove users to any group and changing 'group' permissions for a file will affect any user from the group. Finally the 'other' stands for everybody else. Concerning the system-specific users they are nothing different from regular users. So any change performed for those users will have exactly the same effect.
More clear is this:
I go to the /etc dir. Nearly every file in it has 755 permissions.
So any regular user can VIEW file contents. Copy it. Analyze it. Everything exept editing.
I want to change the permissions of the files in it dir to 750.
So Only User and Group will have access to view/execute the files. And regular users even will not see any files in this dir.
But!!! The system users such as 'apache', 'mysql', 'ftp' vill also loose the view acess to that files.
So the question is - will the file permission change from 755 to 750 to the /etc dir (for example) affect the system-users as mentioned earlier? And will it effect the system functionality?
Yes, it will. That's what groups are for. You should add to the group all the system users and remove everybody who you don't want to be able to have the access to. Still regular users have to have access to some files in /etc. Not sure if they can be off without it though.
I can change the permissions on /bin /sbin /etc (and other sys-dirs) so that all other users will have no acess to them.
You can't do that. All users MUST have access to the programs in /bin or they won't even be able to log into the machine. Just do an ls in /bin and see what programs you would be denying them access to...these are critical system functions.
A chroot jail would be the best way to restrict those users to only the files/directories that are required.
I go to the /etc dir. Nearly every file in it has 755 permissions.
Then somebody fscked up.
/etc holds mostly global resource and configuration files, the password database and system initialization and helper scripts.
0755 for directories OK but files, no, they shouldn't have that, at most 0644, except for the user and group shadow files which should have 0400 or 0600 or init or helper scripts which should have 0755.
Again: these are not the original file access permissions.
If you altered access permissions then change them back before doing anything else.
Last edited by unSpawn; 08-20-2012 at 10:31 AM.
Reason: //Add exception, don't state the obvious
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.