Protecting a directory with chmod, owner, groups, others
Okay, here is the background.
I have 2 users.......user 1 = gelt..........user 2 = redwolf. User redwolf is in group redwolf. User redwolf's home directory is in /home/redwolf. User redwolf is a standard user, simply logs in and does simple stuff User gelt is in group gelt User gelt's home directory is /gelttech.com User gelt logs in and uploads the pages for www.gelttech.com, which is located in /gelttech.com/html/ Here is the situation. I need to have the directory gelttech.com only viewable by user gelt, and whatever process are needed to read and display gelttech.com located in /gelttech.com/html/ I have added apache to the group gelt and then issued the following command. [root@server-rig /]# chmod 770 gelttech.com After doing this, I get the Apache test page, and not the simple index.html page that I created. I then issue this command. [root@server-rig /]# chmod 771 gelttech.com After doing this, www.gelttech.com loads to the simple index.html page that I created. There is a problem with 771, redwolf can now delv into the /gelttech.com directory, where as with 770, redwolf gets access denied when trying to go into the /gelttech.com directory. WHAT do I need to do in order to keep redwolf out of /gelttech.com and yet still be able to have the page load properly and the user gelt upload any changes to gelttech.com? |
try a chmod XXX * -R
the -R is for recursive ;-) |
I tried this command:
chmod 770 gelttech.com -R and got the apache test page. I tried 771 and got this: ------------------------------------------------------- Access forbidden! You don't have permission to access the requested object. It is either read-protected or not readable by the server. If you think this is a server error, please contact the webmaster Error 403 ---------------------------------------------------- The only one that will allow the correct access to /gelttech.com/html/index.html is: chmod 775 gelttech.com -R Is there any anything else that I need to add to the gelt group besides the apache user? |
chmod sets the mode of the files in 4 columns. if anything is left off, it is perceived by chmod as a leading zero.
column 1 is the sticky bit column 2 is the owner bit column 3 is the group bit column 4 is the others bit The bit values mean: 4 = read 2 = write 1 = execute/VIEW Add them together for whatever you want. So in theory 770 should work fine. You don't need anything but a zero on the others bit. if you do ls -l, what comes up as the owning group? users? do: Code:
chown gelt.gelt -R /gelttech.com Code:
drwxr-xr-x 5 thegnu users 144 Oct 17 19:19 Choices What I think is happening is that apache is part of the gelt group, but the gelt group doesn't own the folder. If this doesn't work, post the results of Code:
ls -al /gelttech.com |
I figured it out
I figured it out.
I set the owner to be apache and gave him full permissions and I set the group to be the group that contains the user that I want to have access and give them full permissions. Then I set other to 0. This worked great. Apache could get in and load up the page. The user could get in and make changes. Other users could not get into the directory unless they were part of the group. Thanks =) Lance Elmshaeuser |
welcome to the wonderful world of system administration
|
protecting directories
I was wondering how to select only files /or only directories when i do a "chmod"
Because chmod 744 -R * made all my files executables, and i did that only to be able to enter my directories. I'd really need that solved. |
Re: protecting directories
Quote:
Quote:
|
One big problem with this scenario. You have just blown apache's and linux security out of the water and taken it down to the windows level. Apache is run with a non privledged user just to keep things like this from happening. If a hacker or exploit comes out the apache process can now delete all of your files that are owned by apache. This is a bad idea. It is never recommended to have the apache process own any files.
|
[B}Shameless Plug[/B]
I've run into this kind of thing several times before. To get around the scenario of having to make recursive changes in ownership and permissions I wrote a perl script to handle it all for me. Works real well. The script will ask you for the starting point, who to set the owner and group to, and what permissions you want on the directories. By default it will make the permissions of all the files 0664 (you can change this in the script). The script is freely available at http://barrelofmonkeys.sytes.net/scripts/scripts.php It is called chdirperm.pl |
Apache is still a non privelaged user....no password...no home directory. No one can login as user apache. In "theory" it still should be secure....right????
|
In theory. Assuming you never have a bad script, Apache never has a vulnerability etc....
|
files and directories permissions
thanks for the scripts. i'll check them out as i run fedora core. hope they'll run :study:
|
All times are GMT -5. The time now is 04:11 AM. |