LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-14-2006, 11:57 PM   #1
nephish
Member
 
Registered: Jun 2005
Distribution: arch, ubuntu
Posts: 456

Rep: Reputation: 30
security advice debian www-data


hey there
i am running debian-sarge.
i am using it to virtually host a few websites. One of them, i just installed
joomla on ( a content management system ) the ownership of the directory was given to user billy, but the installation needed to be able to write to some files in the web_root directory (owned by billy) and the user www-data that apaceh runs under would gimme a no-go. Now i changed the ownership of the web_root to www-data and it installed fine, but now billy will not be able to edit his content from ftp, or ssh or whatever now. So what do i do to overcome this. Do i add www-data to the billy group, or do i add billy to the www-data group ?. I did a chmod 755 on the directory, was this a mistake ?
sorry to sound a bit paranoid or pannicked, but i am a bit paranoid about it.

thanks for any tips.
 
Old 10-16-2006, 09:52 AM   #2
timmeke
Senior Member
 
Registered: Nov 2005
Location: Belgium
Distribution: Red Hat, Fedora
Posts: 1,515

Rep: Reputation: 61
There are many alternatives, but here are my suggestions:

Since the joomla system is only used on one (or some) of your hosted sites, it should never have full access to the web-root (=the root directory of all sites), since it would then have the possibility to change/erase the contents of the other sites. It may have full access to the root directory of the sites that you use it for, however. You should look into the Apache and/or Joomla configuration for how to set this up properly.

I would also recommend using permissions like "770" or "2770", not "755", and creating only one group (not "billy" AND "www-data"). The name of that group is relatively unimportant.
The root directory of the Joomla websites would then be owned by that group and get those permissions, making the directory be fully accessible by both your "www-data" and "billy" users. Non-joomla sites would be owned by a different group, to which "billy" does not belong.
 
Old 10-16-2006, 10:10 AM   #3
nephish
Member
 
Registered: Jun 2005
Distribution: arch, ubuntu
Posts: 456

Original Poster
Rep: Reputation: 30
ok, so far, i have all the web roots under the directory /var/www
like this
/var/www/somesite1
/var/www/somesite2
/var/www/somesite3

each directory of somesites has a web_root directory that is the web root
like this
somesite1 web-root = /var/www/somesite1/web_root
billy has his home directory as /var/www/somesite1
so when he uses vsftpd he can upload his files. The problem i was having was that once billy uploaded files, they became unwritable by www-data.
so according to your advice, do somesite1, somesite2, and somesite3 have different owners than the user names and www-data.

thanks for your response by the way.
 
Old 10-16-2006, 10:53 AM   #4
timmeke
Senior Member
 
Registered: Nov 2005
Location: Belgium
Distribution: Red Hat, Fedora
Posts: 1,515

Rep: Reputation: 61
So, somesite1 uses Joomla, and the other sites don't, right?
I don't really see why billy's home directory has to be /var/www/somesite1. What if you want to start using Joomla on another site as well?

The FTP permissions are a completely different story and should be addressed separately as well.
There are many ways to allow uploads to the directory /var/www/somesite1 for a specific user, besides creating a "real" user with his home directory on /var/www/somesite1. In my opinion, your FTP setup is not ideal for you and should be tweaked further.

To address the file permissions issue:
When billy uploads files, they are owned by him and get default permissions, which may or may not include group access (depending on the "umask" settings, for instance).
A "chmod 2770" of the directory could help, as this forces group ownership for newly created files/directories.
However, "billy" could still remove this group access, since he owns the files/directories.
You could then make "www-data" part of that group to give the "www-data" user full access as well.

So, in short, the real problem is the ownership by the "real" user "billy".
The question you need to ask yourself is this: does the user really need to create/delete files by using Joomla (ie via the website)? Or only modify existing files? (regardless of the file upload via FTP)
In the latter case, "billy" should not own any directory or file, only get write access on the files via the group permissions (+read-only access on directories) and the FTP configuration needs to be changed.
The first case requires an entirely different approach.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
passwordless SSH works for root but not www-data zovres Linux - General 1 07-26-2006 12:31 PM
www-data group not appearing in file permissions tab nick1 Ubuntu 1 05-01-2006 12:48 PM
checking security at www.grc.com STARHARVEST Linux - Security 2 11-29-2005 09:22 AM
need to make www-data as super-user ALInux Linux - Security 1 11-05-2005 10:11 AM
add www-data user restless Linux - Newbie 1 06-01-2004 08:51 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration