File permissions on an Ubuntu Server.

algogeek · 10-05-2008, 03:46 AM

Hey all,

This is a weird problem I'm facing on my Ubuntu 8.04 server configured on my network. It seems like the file permissions are not working. Every user on the machine is being given access to all the files. For example, I created an 'Unprivileged' user and I logged in via ssh. I could cat all the files contained under /var/www/ and /etc/ which is really unwanted.

Why is this happening? Whats wrong here? What can be done to overcome this issue?

Mr. C. · 10-05-2008, 03:52 AM

Show ls -l output on the files. Show the user id of the running user (id command).

algogeek · 10-05-2008, 03:57 AM

Code:

asheshambasta@india:~$ id
uid=1003(asheshambasta) gid=1003(asheshambasta) groups=4(adm),20(dialout),21(fax),24(cdrom),25(floppy),26(tape),29(audio),30(dip),44(video),46(plugdev),105(scanner),107(fuse),1003(asheshambasta)

Code:

asheshambasta@india:/$ ls -l
total 88
drwxr-xr-x   2 root root  4096 2008-09-28 21:44 bin
drwxr-xr-x   3 root root  4096 2008-09-28 21:45 boot
lrwxrwxrwx   1 root root    11 2008-09-27 16:05 cdrom -> media/cdrom
drwxr-xr-x  13 root root 14380 2008-10-05 14:08 dev
drwxr-xr-x 114 root root  4096 2008-10-05 14:23 etc
drwxr-xr-x   5 root root  4096 2008-10-05 13:56 home
drwxrwxrwx   4 root root  4096 2008-09-29 20:57 indiashare
drwxr-xr-x   2 root root  4096 2008-09-27 16:05 initrd
lrwxrwxrwx   1 root root    32 2008-09-27 16:07 initrd.img -> boot/initrd.img-2.6.24-19-server
drwxr-xr-x  15 root root 12288 2008-09-28 21:44 lib
drwx------   2 root root 16384 2008-09-27 16:04 lost+found
drwxr-xr-x   4 root root  4096 2008-10-05 11:03 media
drwxr-xr-x   4 root root  4096 2008-10-05 13:50 mnt
drwxr-xr-x   2 root root  4096 2008-09-27 16:05 opt
dr-xr-xr-x 159 root root     0 2008-10-05 11:00 proc
drwxr-xr-x  13 root root  4096 2008-10-05 14:08 root
drwxr-xr-x   2 root root  4096 2008-09-28 21:44 sbin
drwxr-xr-x   2 root root  4096 2008-09-27 16:05 srv
drwxr-xr-x  12 root root     0 2008-10-05 11:00 sys
drwxrwxrwt  15 root root  4096 2008-10-05 14:08 tmp
drwxr-xr-x  11 root root  4096 2008-09-27 21:11 usr
drwxr-xr-x  14 root root  4096 2008-09-27 16:37 var
lrwxrwxrwx   1 root root    29 2008-09-27 16:07 vmlinuz -> boot/vmlinuz-2.6.24-19-server

And as an example, the apache folder:

Code:

asheshambasta@india:/$ ls -l /etc/apache2/
total 44
-rw-r--r-- 1 root root 10620 2008-09-29 15:13 apache2.conf
drwxr-xr-x 2 root root  4096 2008-09-29 15:27 conf.d
-rw-r--r-- 1 root root   378 2008-06-25 19:19 envvars
-rw-r--r-- 1 root root   927 2008-10-01 14:50 httpd.conf
drwxr-xr-x 2 root root  4096 2008-09-28 21:45 mods-available
drwxr-xr-x 2 root root  4096 2008-09-27 16:38 mods-enabled
-rw-r--r-- 1 root root    59 2008-06-25 19:19 ports.conf
drwxr-xr-x 2 root root  4096 2008-09-27 23:40 sites-available
drwxr-xr-x 2 root root  4096 2008-09-27 23:40 sites-enabled

I'm confused. Is this the setting by default? (Highly unlikely)

Another question, if I do chmod -R a+rwX /someDirectory, does it change the permissions recursively of the contents within the directory being operated on, or recursively outside? I've always believed the former to be true.

algogeek · 10-05-2008, 04:08 AM

Another interesting observation: using sftp, I can only browse the restricted folders, eg. /etc/apache2/ but cannot display the file contents. However, I can ssh to the same machine under the same non administrative username, and cat the files and see them.

algogeek · 10-05-2008, 04:38 AM

Can anyone please respond? I need to get this server back up soon.

algogeek · 10-05-2008, 05:07 AM

Ok. I now see that this is common to all Ubuntu systems, my laptop behaved the same way. So, I'd like to create a new group for the network users who have to ssh to this machine, and then deny that group from accessing system directories.

Anyone knows how to do that?

Mr. C. · 10-05-2008, 12:26 PM

There is no security risk in anyone being able to read standard system files.
Only files that contain confidential information, or user-personal files, require tighter security.

algogeek · 10-05-2008, 12:40 PM

Quote:

Originally Posted by Mr. C.

There is no security risk in anyone being able to read standard system files.
Only files that contain confidential information, or user-personal files, require tighter security.

I'm not to sure about that. I have my phpMyAdmin running on this machine and I certainly will not want users to go to its directory and read the .htaccess and .htpasswd files and then access my SQL server.

I found out that my laptop also allowed such access even by unprivileged users. My laptop is also running Ubuntu 8.04.

robertjinx · 10-05-2008, 12:52 PM

Man check what user your apache server is running and chown the web files with that user and then chmod go-rwx /you/web/dir/, then basic users in the system cant do anything, but if they already know the directory structure they still could run a php script and run something like readfile("/i/know/where/the/file/is"). Also you could implement suPHP so that might help with the security.

Also a lot of files in Debian are visible to the normal users. In CentOS its a bit different, even on Suse, for example on Suse normal users cant even run crontab (not talking about openSuse, I am talking about SLES).

richardfranks · 10-05-2008, 12:55 PM

Quote:

Originally Posted by algogeek

Ok. I now see that this is common to all Ubuntu systems, my laptop behaved the same way. So, I'd like to create a new group for the network users who have to ssh to this machine, and then deny that group from accessing system directories.

Anyone knows how to do that?

the way to get around the phpmyadmin problem is to enable the cookie authentication in phpmyadmin. This is safer anyway, becuase it means that if your web server was compromised, they dont have access to your SQL user info.

Denying access is a problem, because you need to ensure that your apache server still has sufficient access privileges to run your sites

Mr. C. · 10-05-2008, 12:58 PM

Quote:

Originally Posted by algogeek

I'm not to sure about that. I have my phpMyAdmin running on this machine and I certainly will not want users to go to its directory and read the .htaccess and .htpasswd files and then access my SQL server.

That's OK, I'm sure enough for the both of us. ;-)

The .htaccess and .htpasswd files would fall under what I termed "confidential information, or user-personal files".

paulsm4 · 10-05-2008, 01:55 PM

Hi, algogeek -

Files like .htaccess should definitely be "chmod 644". Universal read access is OK (arguably necessary); the important thing is to restrict web access (e.g. http and/or ftp access).

Here are a couple of links:
http://www.petefreitag.com/item/505.cfm
http://www.itc.virginia.edu/unixsys/sec/

This site has a lot of great examples:
http://perishablepress.com/press/200...access-tricks/

And finally, this site has some good background info you might find useful:
http://www.psychocats.net/ubuntu/permissions

'Hope that helps .. PSM

DiGiGoth · 06-29-2009, 03:11 AM

What you're experiencing is very ordinary !

look at ur post with "ls -l"
all file have read permission set for everyone !
thats why u can read all files by "cat"

u can not edit these files though !

if u want the files unaccessable by other users u should remove the read permission off the desired files/folders

which means u wont use chown, u will have to use chmod