Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've always read that Web files should be set to 755, but if I want them to be editable in a group context is it safe to set them as 775? Is that just not done or what?
I've always read that Web files should be set to 755, but if I want them to be editable in a group context is it safe to set them as 775? Is that just not done or what?
There are many levels and layers to security. If you are on a private network and the stuff is not served to the web 775 is much safer than PHP scripts exposed to the web. If your group is scattered on the web, a very hostile environment, you cannot have too much security. Using only the file permissions is rather weak. Adding to that having your group who need to write specially authenticated via OpenSSH would be much better. For example, you could have your special group able to edit/change stuff by logging in via SSH but having the general population using read-only web access. If your group needs to use the same scripts as the general population, they could use a different server or port. Backups are necessary but slow to apply. Better is to have a server with a backup ready to go that can take over in case another server is compromised.
As usual, there are trade-offs. How valuable is your stuff and your service? How many strangers visit your site?
We are serving to the World Wide Web and we need to upload files via FTP. Our Web editors are Macromedia Dreamweaver and Contribute users. Any further advice for how to handle the situation? Thanks again.
We are serving to the World Wide Web and we need to upload files via FTP. Our Web editors are Macromedia Dreamweaver and Contribute users. Any further advice for how to handle the situation? Thanks again.
If your editors are using that other OS, that is more difficult. I would normally recommend scp instead of ftp. Perhaps putty would do the same. Whatever security you put on your server and network, that other OS may let in malware to compromise things on the editors' machines. I would recommend setting up your firewall on the server to block ssh except from the editors' machines. See iptables mac parameter. Text communication among the editors should be encrypted as well so keys can be changed as needed.
Depending on the autonomy and size of your editorial staff, you could put them all on a virtual private network VPN. see OpenSwan see www.openswan.org/
I don't think SCP or Putty is going to work because our editors are non-techies and they will be working in Dreamweaver and Contribute. Do you think it would be a mistake to chmod to 775?
I think I see what you're saying. It would be safer to have everyone on VPN and not have to use FTP. But what if FTP is unavoidable? How should I handle making files group editable? Thanks!
I think I see what you're saying. It would be safer to have everyone on VPN and not have to use FTP. But what if FTP is unavoidable? How should I handle making files group editable? Thanks!
Folks would have to ftp or read the file/edit it and put it back. There is a problem if two try to work on the same file at once. PHPgroupware or some version control system might help. Every feature increases the risk if it is not kept simple. If you must rely on ftp, you could permit uploads to a directory where some manager could check them before committing them to the site. If it has to be automatic the idea of making the writable group the ftpd process would work but is very insecure because ftp is rather old and clunky. FTP has been around longer than malware, I think. Try to find a secure version you can use.
You can also restrict sftp users to using ftp and doing nothing else: How to restrict users to SFTP only instead of SSH. On Debian, you can install openssh-server on the server, but I do not know a client for that other OS.
Thanks. I think this is the answer I've been looking for. But how should I do that?
ps aux|grep ftpd (on the server)
The beginning of the line is the ftpd user.
groups ftpuser (lists the groups to which the ftpuser belongs)
groups particularuser
usermod -G comma,separated,list,of,groups user
e.g. suppose your ftpd server is running as ftp:ftp user:group.
You could make the files in question writable by members of ftp group by
chown -R owneruser:ftp directory
chmod -R u+rwx,g+rwX,o+rw directory
As always, do a small test before reconfiguring your whole setup. You could make this more fine-grained by having several groups of users.
e.g. projectAusers,projectBusers, etc.
Only you know the structure of your site. You should read the fine manual such as ProFTPD Userguide
You can do things like make parts of the system public for reading only, have individual users able to read and write their private files, and have groups of users given equal access to files owned by their group. You may be iterested in some GUI configuration tools. See package search on Debian
RobertP, you're suggesting that I set directory permissions to 775, right? What about new files that get created by default? Do you recommend that I set the umask value so they will be 775 by default?
RobertP, you're suggesting that I set directory permissions to 775, right? What about new files that get created by default? Do you recommend that I set the umask value so they will be 775 by default?
That should work. The problem is that all the stuff and passwords, too are sent in the clear over the web. This is the insecure part. Folks may be able to learn how to get into your system and do bad things. I urge you to try using sftp or scp for your work. It is just as easy. You set up sshd on your system and the others use putty or scp to transfer stuff. The keys are then exchanged in encrypted form. That is much safer. see OpenSSH manuals
You can even save users the bother of typing passwords if you can distribute keys in a secure way (gpg, for instance).
I've been using FTP for 15 years and I've never had a problem, but I'm sure you're. I'll work on getting SFTP up. Better safe than sorry.
The choices we make about security depend on the value of what is protected. If it is just some silly fun stuff, you probably do not mind if the world sees it. However, I have seen servers on the web get knocked on every minute or so all day long, so I know there are folks out there looking for trouble. With ftp, they could change or delete something, or put in an executable, have it phone home and take over your machine just like the horror stories we hear from the world of Windows. There is no point in having a system if unwanted users take up all its resources. You need to limit what users can do with ftp and who can do it. If the intruder can discover your users ids and perhaps their passwords, they can do anything your normal users can do. Be careful. You trust your normal users, most likely, but an intruder could pretend to be one.
With OpenSSH, there is an extra layer of protection to keep the intruders out. I think it is well worth a bit of effort to use it. The OpenSWAN stuff and similar projects make it very easy for users and still keeps the others out. I use OpenSSH even within my own LAN for managing machines all over the building. It works mostly the same way to trusted machines on the web. If you have a small number of trusted machines on the web, it is not much effort to have your firewall block connections from others. It is not paranoia if they are out to get you...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.