Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Fedora 9, Ubuntu 8.04, Ubuntu 8.04 Server
Posts: 103
Rep:
File permissions on an Ubuntu Server.
Hey all,
This is a weird problem I'm facing on my Ubuntu 8.04 server configured on my network. It seems like the file permissions are not working. Every user on the machine is being given access to all the files. For example, I created an 'Unprivileged' user and I logged in via ssh. I could cat all the files contained under /var/www/ and /etc/ which is really unwanted.
Why is this happening? Whats wrong here? What can be done to overcome this issue?
Distribution: Fedora 9, Ubuntu 8.04, Ubuntu 8.04 Server
Posts: 103
Original Poster
Rep:
Code:
asheshambasta@india:~$ id
uid=1003(asheshambasta) gid=1003(asheshambasta) groups=4(adm),20(dialout),21(fax),24(cdrom),25(floppy),26(tape),29(audio),30(dip),44(video),46(plugdev),105(scanner),107(fuse),1003(asheshambasta)
I'm confused. Is this the setting by default? (Highly unlikely)
Another question, if I do chmod -R a+rwX /someDirectory, does it change the permissions recursively of the contents within the directory being operated on, or recursively outside? I've always believed the former to be true.
Distribution: Fedora 9, Ubuntu 8.04, Ubuntu 8.04 Server
Posts: 103
Original Poster
Rep:
Another interesting observation: using sftp, I can only browse the restricted folders, eg. /etc/apache2/ but cannot display the file contents. However, I can ssh to the same machine under the same non administrative username, and cat the files and see them.
Distribution: Fedora 9, Ubuntu 8.04, Ubuntu 8.04 Server
Posts: 103
Original Poster
Rep:
Ok. I now see that this is common to all Ubuntu systems, my laptop behaved the same way. So, I'd like to create a new group for the network users who have to ssh to this machine, and then deny that group from accessing system directories.
There is no security risk in anyone being able to read standard system files.
Only files that contain confidential information, or user-personal files, require tighter security.
Distribution: Fedora 9, Ubuntu 8.04, Ubuntu 8.04 Server
Posts: 103
Original Poster
Rep:
Quote:
Originally Posted by Mr. C.
There is no security risk in anyone being able to read standard system files.
Only files that contain confidential information, or user-personal files, require tighter security.
I'm not to sure about that. I have my phpMyAdmin running on this machine and I certainly will not want users to go to its directory and read the .htaccess and .htpasswd files and then access my SQL server.
I found out that my laptop also allowed such access even by unprivileged users. My laptop is also running Ubuntu 8.04.
Man check what user your apache server is running and chown the web files with that user and then chmod go-rwx /you/web/dir/, then basic users in the system cant do anything, but if they already know the directory structure they still could run a php script and run something like readfile("/i/know/where/the/file/is"). Also you could implement suPHP so that might help with the security.
Also a lot of files in Debian are visible to the normal users. In CentOS its a bit different, even on Suse, for example on Suse normal users cant even run crontab (not talking about openSuse, I am talking about SLES).
Ok. I now see that this is common to all Ubuntu systems, my laptop behaved the same way. So, I'd like to create a new group for the network users who have to ssh to this machine, and then deny that group from accessing system directories.
Anyone knows how to do that?
the way to get around the phpmyadmin problem is to enable the cookie authentication in phpmyadmin. This is safer anyway, becuase it means that if your web server was compromised, they dont have access to your SQL user info.
Denying access is a problem, because you need to ensure that your apache server still has sufficient access privileges to run your sites
I'm not to sure about that. I have my phpMyAdmin running on this machine and I certainly will not want users to go to its directory and read the .htaccess and .htpasswd files and then access my SQL server.
That's OK, I'm sure enough for the both of us. ;-)
The .htaccess and .htpasswd files would fall under what I termed "confidential information, or user-personal files".
Files like .htaccess should definitely be "chmod 644". Universal read access is OK (arguably necessary); the important thing is to restrict web access (e.g. http and/or ftp access).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.