Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-14-2006, 11:57 PM
|
#1
|
Member
Registered: Jun 2005
Distribution: arch, ubuntu
Posts: 456
Rep:
|
security advice debian www-data
hey there
i am running debian-sarge.
i am using it to virtually host a few websites. One of them, i just installed
joomla on ( a content management system ) the ownership of the directory was given to user billy, but the installation needed to be able to write to some files in the web_root directory (owned by billy) and the user www-data that apaceh runs under would gimme a no-go. Now i changed the ownership of the web_root to www-data and it installed fine, but now billy will not be able to edit his content from ftp, or ssh or whatever now. So what do i do to overcome this. Do i add www-data to the billy group, or do i add billy to the www-data group ?. I did a chmod 755 on the directory, was this a mistake ?
sorry to sound a bit paranoid or pannicked, but i am a bit paranoid about it.
thanks for any tips.
|
|
|
10-16-2006, 09:52 AM
|
#2
|
Senior Member
Registered: Nov 2005
Location: Belgium
Distribution: Red Hat, Fedora
Posts: 1,515
Rep:
|
There are many alternatives, but here are my suggestions:
Since the joomla system is only used on one (or some) of your hosted sites, it should never have full access to the web-root (=the root directory of all sites), since it would then have the possibility to change/erase the contents of the other sites. It may have full access to the root directory of the sites that you use it for, however. You should look into the Apache and/or Joomla configuration for how to set this up properly.
I would also recommend using permissions like "770" or "2770", not "755", and creating only one group (not "billy" AND "www-data"). The name of that group is relatively unimportant.
The root directory of the Joomla websites would then be owned by that group and get those permissions, making the directory be fully accessible by both your "www-data" and "billy" users. Non-joomla sites would be owned by a different group, to which "billy" does not belong.
|
|
|
10-16-2006, 10:10 AM
|
#3
|
Member
Registered: Jun 2005
Distribution: arch, ubuntu
Posts: 456
Original Poster
Rep:
|
ok, so far, i have all the web roots under the directory /var/www
like this
/var/www/somesite1
/var/www/somesite2
/var/www/somesite3
each directory of somesites has a web_root directory that is the web root
like this
somesite1 web-root = /var/www/somesite1/web_root
billy has his home directory as /var/www/somesite1
so when he uses vsftpd he can upload his files. The problem i was having was that once billy uploaded files, they became unwritable by www-data.
so according to your advice, do somesite1, somesite2, and somesite3 have different owners than the user names and www-data.
thanks for your response by the way.
|
|
|
10-16-2006, 10:53 AM
|
#4
|
Senior Member
Registered: Nov 2005
Location: Belgium
Distribution: Red Hat, Fedora
Posts: 1,515
Rep:
|
So, somesite1 uses Joomla, and the other sites don't, right?
I don't really see why billy's home directory has to be /var/www/somesite1. What if you want to start using Joomla on another site as well?
The FTP permissions are a completely different story and should be addressed separately as well.
There are many ways to allow uploads to the directory /var/www/somesite1 for a specific user, besides creating a "real" user with his home directory on /var/www/somesite1. In my opinion, your FTP setup is not ideal for you and should be tweaked further.
To address the file permissions issue:
When billy uploads files, they are owned by him and get default permissions, which may or may not include group access (depending on the "umask" settings, for instance).
A "chmod 2770" of the directory could help, as this forces group ownership for newly created files/directories.
However, "billy" could still remove this group access, since he owns the files/directories.
You could then make "www-data" part of that group to give the "www-data" user full access as well.
So, in short, the real problem is the ownership by the "real" user "billy".
The question you need to ask yourself is this: does the user really need to create/delete files by using Joomla (ie via the website)? Or only modify existing files? (regardless of the file upload via FTP)
In the latter case, "billy" should not own any directory or file, only get write access on the files via the group permissions (+read-only access on directories) and the FTP configuration needs to be changed.
The first case requires an entirely different approach.
|
|
|
All times are GMT -5. The time now is 05:31 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|