LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 05-23-2016, 10:26 PM   #16
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,237

Rep: Reputation: 1657Reputation: 1657Reputation: 1657Reputation: 1657Reputation: 1657Reputation: 1657Reputation: 1657Reputation: 1657Reputation: 1657Reputation: 1657Reputation: 1657

Quote:
Originally Posted by maples View Post
I wonder why it refuses to let you login when group has write permission?
We can look at the OpenSSH source code to answer this question. I'm on Arch.

Code:
sudo pacman -S base-devel abs
sudo abs core/openssh
sudo rsync -varh /var/abs/core/openssh /tmp/
sudo chown -R user:user /tmp/openssh
cd /tmp/openssh
makepkg -od --skippgpcheck
grep -Ri 'bad ownership or modes for directory' .
which gives us this

Code:
./openssh-7.2p2/regress/check-perm.c:	    "bad ownership or modes for directory %s", buf);
./openssh-7.2p2/auth.c:			    "bad ownership or modes for directory %s", buf);
Code:
f (stat(buf, &st) < 0 ||
            (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
            (st.st_mode & 022) != 0) {
            snprintf(err, errlen,
                "bad ownership or modes for directory %s", buf);
            return -1;
        }

Last edited by szboardstretcher; 05-23-2016 at 10:28 PM.
 
1 members found this post helpful.
Old 05-23-2016, 10:39 PM   #17
maples
Member
 
Registered: Oct 2013
Location: IN, USA
Distribution: Arch, Debian Jessie
Posts: 814

Original Poster
Rep: Reputation: 265Reputation: 265Reputation: 265
Quote:
Originally Posted by Turbocapitalist View Post
It's so the key used for authentication cannot be overwritten by others.
Ok, that makes sense.

Quote:
Also, the user and group www-data are for privilege separation and should not have write access to anything in the web server's document root, except for special exceptions regarding individual files in certain CMSs. Adding write permission for www-data, as shown in #10 above, breaks the security model and is likely end up costing you in the medium to long term.

What problem were you trying to solve? If it was shared access to the web server's document root or other files, then a special group should be made for that and write access given to that new group instead of www-data.
It's my home server running in my basement. I wanted a way to be able to edit files in the /var/www/html/ folder (to edit the web pages) and that seemed like a solution. It's a single-user environment and I don't think that's going to ever change.

So if www-data shouldn't have write access, then who should? I don't want to give it to just root, for several reasons. (The biggest one being that I don't think I should have to log in as root just to edit HTML.) Should I give it to my user, or should I create a separate user just for that purpose?
 
Old 05-23-2016, 10:59 PM   #18
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 6,081
Blog Entries: 3

Rep: Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169
Quote:
Originally Posted by maples View Post
It's my home server running in my basement. I wanted a way to be able to edit files in the /var/www/html/ folder (to edit the web pages) and that seemed like a solution. It's a single-user environment and I don't think that's going to ever change.

So if www-data shouldn't have write access, then who should? I don't want to give it to just root, for several reasons. (The biggest one being that I don't think I should have to log in as root just to edit HTML.) Should I give it to my user, or should I create a separate user just for that purpose?
You're right about not logging in as root for that. You should just give the files and directories to your user.

If you are the only user and only ever going to be the only user then it is enough to just chown it to your account and group. Then you can make as many changes as you want and www-data cannot write. Just make sure that the directories have o=rx and that files have o=r so that the web server can still read them.

If you would be moving to a simple multi-user environment, where more than one account would need to edit the web files, then you would just make a new group and apply that, along with the SetGID bit to the directories.
 
1 members found this post helpful.
Old 05-23-2016, 11:05 PM   #19
maples
Member
 
Registered: Oct 2013
Location: IN, USA
Distribution: Arch, Debian Jessie
Posts: 814

Original Poster
Rep: Reputation: 265Reputation: 265Reputation: 265
Quote:
Originally Posted by Turbocapitalist View Post
If you would be moving to a simple multi-user environment, where more than one account would need to edit the web files, then you would just make a new group and apply that, along with the SetGID bit to the directories.
How would I go about doing that? I had tried to do something like that earlier by making /var/www/html 775 ww-data:www-data and adding my user to the www-data group, but that didn't work (and caused the problems that led to this thread...)

I think you're saying that it should be a new group, not the www-data group.

I've heard very little about setuid, and never heard of setgid, so I'm going to head over to Google. But what would I need to do to implement what you suggested above?
 
Old 05-24-2016, 02:37 AM   #20
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 6,081
Blog Entries: 3

Rep: Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169
Quote:
Originally Posted by maples View Post
I've heard very little about setuid, and never heard of setgid, so I'm going to head over to Google. But what would I need to do to implement what you suggested above?
Just pick a name for the new group and apply it. It could go something like this:

Code:
groupadd webmeisters
chown -R root:webmeisters /var/www/html/
find /var/www/html/ -type d -exec chmod u=rwx,g=rwxs,o=rx "{}" \;
find /var/www/html/ -type f -exec chmod u=rw,g=rw,o=r "{}" \;
That leaves any other directories under /var/www/ alone such as maybe /var/www/cgi-bin/
The two 'find' instance show the difference settings for files and directories.

(Numerically that would be 2775 in octal instead of u=rwx,g=rwxs,o=rx in symbolic mode. The symbolic mode works to unset the setgid bit also but the octal mode does not.)

The owner of the directories and files is not important as long as it is not www-data. You could leave that as maples, as long as the group is set to the shared group.

Then add users to the shared group.

Code:
gpasswd -a maples webmeisters
On most systems your 'umask' defaults to 0002, so that means files you create in the affected directories will be group writable by the group 'webmeisters'. Your account will be in the new group the next time you log in.
 
3 members found this post helpful.
Old 05-24-2016, 06:24 AM   #21
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 6,325

Rep: Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760
mod_userdir could be simpler to use in an home config (and will not be affected by system upgrade, in case upgrade replaces all the /var/www config)

Server dir would be in anthony@poweredge1950ublic_html, url would be http://poweredge1950/~anthony
 
1 members found this post helpful.
Old 05-24-2016, 09:03 AM   #22
maples
Member
 
Registered: Oct 2013
Location: IN, USA
Distribution: Arch, Debian Jessie
Posts: 814

Original Poster
Rep: Reputation: 265Reputation: 265Reputation: 265
Quote:
Originally Posted by Turbocapitalist View Post
Just pick a name for the new group and apply it. It could go something like this:

Code:
groupadd webmeisters
chown -R root:webmeisters /var/www/html/
find /var/www/html/ -type d -exec chmod u=rwx,g=rwxs,o=rx "{}" \;
find /var/www/html/ -type f -exec chmod u=rw,g=rw,o=r "{}" \;
So from what I found last night, the setGID bit will ensure that files created in that directory will have the same group as the parent directory. So any file that I create (with any user that has sufficient privileges to write) will have webmeisters as the group, right?


Quote:
Originally Posted by Turbocapitalist View Post
On most systems your 'umask' defaults to 0002, so that means files you create in the affected directories will be group writable by the group 'webmeisters'. Your account will be in the new group the next time you log in.
I've never looked very closely at my umask before, but most of my files in ~/ (on several systems) are -rw-r--r--. On this Debian server, my umask is 0022:
Code:
anthony@poweredge1950:~$ umask
0022
Is there a way to set the umask only for a directory? (so any file I create in /var/www/html/ has umask 0002, but everywhere else is still 0022)
EDIT: Google informs me that you can't do that. So since I have a group for my user and all files I create in my home directory are anthony:anthony, is it any security risk to set umask to 0002?

Last edited by maples; 05-24-2016 at 09:28 AM.
 
Old 05-24-2016, 09:46 AM   #23
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 6,081
Blog Entries: 3

Rep: Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169
ACLs

Quote:
Originally Posted by maples View Post
So from what I found last night, the setGID bit will ensure that files created in that directory will have the same group as the parent directory. So any file that I create (with any user that has sufficient privileges to write) will have webmeisters as the group, right?
Yes.

Quote:
Originally Posted by maples View Post
Is there a way to set the umask only for a directory? (so any file I create in /var/www/html/ has umask 0002, but everywhere else is still 0022)
EDIT: Google informs me that you can't do that. So since I have a group for my user and all files I create in my home directory are anthony:anthony, is it any security risk to set umask to 0002?
I was hoping not to have to think about ACLs, but they can do that and it's not possible any other way with the EXT file systems. The part that I find confusing, aside from the ACLs themselves, is that umask is for the processes (e.g. your shell) not the file system.

Code:
setfacl -b -m group:webmeisters:rwx,d:group:webmeisters:rw- /var/www/html/
The -b clears any previous ACL for that directory before making the settings specified by -m, otherwise it can get cluttered when experimenting.

You can see what you have set with 'getfacl'

Code:
getfacl /var/www/html/
If you have a large business or organization with many users in your basement then you can consider OpenAFS, which has much easier way, but is harder to install.
 
2 members found this post helpful.
Old 05-24-2016, 12:54 PM   #24
maples
Member
 
Registered: Oct 2013
Location: IN, USA
Distribution: Arch, Debian Jessie
Posts: 814

Original Poster
Rep: Reputation: 265Reputation: 265Reputation: 265
I think I'm going to stick with umasks for now, though ACLs look like something I should look into some day.

Theoretically, if this was a multi-user environment, would /etc/profile be an appropriate place to put the umask?
 
Old 05-24-2016, 01:09 PM   #25
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 6,081
Blog Entries: 3

Rep: Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169
Quote:
Originally Posted by maples View Post
Theoretically, if this was a multi-user environment, would /etc/profile be an appropriate place to put the umask?
Yes, but a separate file in /etc/profile.d/ is better. If they are using bash, ksh, or zsh, then put a file in /etc/profile.d/ with a name you will recognize and have that contain the 'umask' setting. It will set umask for everyone with the main shells: bash, zsh, and ksh. The default is bash. It is always possible for the user to modify their own umask if even only for their current session.
 
Old 05-24-2016, 01:22 PM   #26
maples
Member
 
Registered: Oct 2013
Location: IN, USA
Distribution: Arch, Debian Jessie
Posts: 814

Original Poster
Rep: Reputation: 265Reputation: 265Reputation: 265
Awesome. I just made /etc/profile.d/my_umask.sh with "umask 0002" and that seemed to take care of it.

And the sshfs still works like I originally intended

Thank you!
 
Old 05-24-2016, 02:33 PM   #27
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
Just pick a name for the new group and apply it. It could go something like this:

Code:
groupadd webmeisters
chown -R root:webmeisters /var/www/html/
find /var/www/html/ -type d -exec chmod u=rwx,g=rwxs,o=rx "{}" \;
find /var/www/html/ -type f -exec chmod u=rw,g=rw,o=r "{}" \;
That leaves any other directories under /var/www/ alone such as maybe /var/www/cgi-bin/
The two 'find' instance show the difference settings for files and directories.

(Numerically that would be 2775 in octal instead of u=rwx,g=rwxs,o=rx in symbolic mode. The symbolic mode works to unset the setgid bit also but the octal mode does not.)

The owner of the directories and files is not important as long as it is not www-data. You could leave that as maples, as long as the group is set to the shared group.

Then add users to the shared group.

Code:
gpasswd -a maples webmeisters
On most systems your 'umask' defaults to 0002, so that means files you create in the affected directories will be group writable by the group 'webmeisters'. Your account will be in the new group the next time you log in.
You really should stick this in your blog so I can find it readily.
I look for it a lot.
 
Old 05-24-2016, 04:18 PM   #28
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 6,081
Blog Entries: 3

Rep: Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169
Quote:
Originally Posted by Habitual View Post
You really should stick this in your blog so I can find it readily.
I look for it a lot.
I'll see what I can do to polish it and make a blog entry of it. I'm not sure how slow or fast I can get to it though. Which terms or phrases would be most useful in helping find it again?
 
Old 05-24-2016, 04:35 PM   #29
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 6,081
Blog Entries: 3

Rep: Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169
Quote:
Originally Posted by maples View Post
Awesome. I just made /etc/profile.d/my_umask.sh with "umask 0002" and that seemed to take care of it.

And the sshfs still works like I originally intended

Thank you!
You're welcome.
 
Old 05-29-2016, 08:34 AM   #30
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 6,081
Blog Entries: 3

Rep: Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169
Quote:
Originally Posted by Habitual View Post
You really should stick this in your blog so I can find it readily.
I look for it a lot.
As per your suggestion, I've posted an entry: https://www.linuxquestions.org/quest...e-users-37043/

Let me know if there are any phrases or terms that you normally use when searching for it and I can add them.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh public key authentication teacup Linux - Networking 4 11-28-2011 12:27 AM
SSH skips public key authentication for a key, but works with another key simopal6 Linux - General 1 07-06-2011 09:33 AM
Public key authentication with ssh elnacho12 Linux - Networking 3 12-18-2007 09:38 AM
Public Key Authentication with SSH edafe Ubuntu 1 08-26-2006 12:06 PM
Can't use public key authentication with SSH Noob69 Linux - General 5 01-06-2006 07:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 05:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration