LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 03-18-2008, 10:45 AM   #1
josno
LQ Newbie
 
Registered: Mar 2006
Posts: 18

Rep: Reputation: 0
Secure permissions for Debian web server


A friend and I are setting up a simple web hosting server. We want to lock it down as much as possible so that users can't access anything but their own home directories, but obviously we don't want to break anything in the process. We also don't really want to use chroot - bad experiences in the past. What's the best way to go about doing it?
 
Old 03-19-2008, 08:28 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
If it were me I'd look at implementing a Linux-VServer to contain your cantankerous users in. Within the pseudo-virtualized environment, you could simply make filesystem permissions on their home directories less liberal.

Although I haven't tried this out, the installation on debian looks particularly painless.
 
Old 03-21-2008, 12:36 PM   #3
vpsville
LQ Newbie
 
Registered: Feb 2008
Location: Canada
Posts: 12

Rep: Reputation: 0
Vservers would be overkill for this purpose, but if thats your cup of tea check out OpenVZ as well.
 
Old 03-21-2008, 12:45 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Overkill to you == peace of mind to me.
 
Old 03-21-2008, 12:48 PM   #5
josno
LQ Newbie
 
Registered: Mar 2006
Posts: 18

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by vpsville View Post
Vservers would be overkill for this purpose, but if thats your cup of tea check out OpenVZ as well.
Yeah, we don't really want a separate VServer for each website hosted - especially as the people we're hosting for are unlikely to know anything about server administration. Might be worth doing one or two for the different types of sites we're hosting though.

We're not going to give users SSH access - only FTP and they'll be locked in to their home directory - but we want to be on the safe side with permissions. Apart from not letting users access other users' home directories, and not being able to read config files, what do we need to be careful about? Maybe using suphp?
 
Old 03-21-2008, 01:03 PM   #6
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by josno
We're not going to give users SSH access - only FTP and they'll be locked in to their home directory - but we want to be on the safe side with permissions.
More info like this in your first post (rather than after the fact) will generally help you get a more useful response. Given this new info, Linux-VServers are probably not needed.

What is your real question about then? Filesystem/permission security? It sounds like you'll be using chrooted ftp for each user (and presumably a nologin shell).
 
Old 03-21-2008, 01:12 PM   #7
josno
LQ Newbie
 
Registered: Mar 2006
Posts: 18

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by anomie View Post
More info like this in your first post (rather than after the fact) will generally help you get a more useful response. Given this new info, Linux-VServers are probably not needed.
Yeah, sorry - what we want is still a bit hazy and we keep changing our minds.

Quote:
Originally Posted by anomie View Post
What is your real question about then? Filesystem/permission security? It sounds like you'll be using chrooted ftp for each user (and presumably a nologin shell).
I think that's pretty much what we're going for. Really, what we want is to restrict what users can do as much as possible, and reduce the risk of their sites compromising our server - we've inherited the server which got rooted a few times before we came along. We've since formatted and reinstalled so we're just looking to get the most secure setup possible.

I know a 'chrooted' ftp account is quite secure, but I've read it can be broken. With PHP, we're going to use open_basedir to lock that aspect down (other scripting languages won't be executable), and we've got our /tmp on a separate partition, mounting with nodev, nosuid and noexec.

Is there anything else we can do?
 
Old 03-21-2008, 02:13 PM   #8
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by josno
Really, what we want is to restrict what users can do as much as possible, and reduce the risk of their sites compromising our server
I'm going to make some assumptions first -- namely that you're familiar with and have taken very general hardening steps such as: shut off unneeded services, removed unnecessary packages, disabled suid binaries where possible, looked at potentially implementing a HIDS, hardened traffic at the IP level where possible (via netfilter), etc.

I don't know the status of MAC implementations on debian, but if something worthwhile is available that would be a good area to look into further. This could be the difference between a zero-day exploit in apache (or a poorly configured apache) causing major damage or being contained within its security context.

Finally, at the application level both apache and PHP are very complex beasts. To harden these properly would require an understanding beyond what I can personally provide. I'd look into books and/or classes to get you up to speed.

This all comes down to your customers and your acceptable level of risk. Is this a fun little test project for some buddies? If yes, you can shoot and miss, rebuild and try it all over again. Does your mortgage payment depend on a successful outcome with this project? If yes, I'd get ready to do a lot of learning and testing up front to properly harden the OS, application, and network layers.
 
Old 03-21-2008, 02:17 PM   #9
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Addendum: The chrooted ftp account (try vsftpd -- it's pretty good) is the least of your worries, IMO. Just set them up and give them a nologin shell.

Do keep in mind that ftp is a clear text protocol, though, so their authentication info will be sent across the wire for nasty people to potentially see.
 
Old 03-22-2008, 09:08 AM   #10
vpsville
LQ Newbie
 
Registered: Feb 2008
Location: Canada
Posts: 12

Rep: Reputation: 0
It sounds like you want a server configured for reselling. This is a problem that has been solved thousands of times before, by every provider of shared hosting services.

There are many ways to do this, and all kinds of pre-packaged stuff out there to help you do it.

cPanel and LxAdmin are the commercial packages that will do all this for you right out of the box, or you can use DirectAdmin, which is free (based on Webmin).
 
Old 03-22-2008, 02:06 PM   #11
josno
LQ Newbie
 
Registered: Mar 2006
Posts: 18

Original Poster
Rep: Reputation: 0
Unfortunately we can't use any panels because our 'clients' aren't necessarily going to have their own domain names (which, as far as I can tell, is a prerequisite of setting up hosting through a panel).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to secure my web server lqchangba Linux - Security 1 04-22-2007 11:34 AM
Apache Help (Secure Web Server) carlg Linux - Networking 1 10-19-2004 08:46 PM
Secure web server under RH9 Spydr Linux - Software 0 09-19-2003 12:31 AM
secure game/web server? ixion Linux - Security 1 09-09-2003 06:06 PM
Secure web server sanjibgupta Linux - Newbie 1 08-27-2003 08:05 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 07:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration