[SOLVED] Stuck on SSH public key authentication for www-data

szboardstretcher · 05-23-2016, 09:26 PM

Quote:

Originally Posted by maples

I wonder why it refuses to let you login when group has write permission?

We can look at the OpenSSH source code to answer this question. I'm on Arch.

Code:

sudo pacman -S base-devel abs
sudo abs core/openssh
sudo rsync -varh /var/abs/core/openssh /tmp/
sudo chown -R user:user /tmp/openssh
cd /tmp/openssh
makepkg -od --skippgpcheck
grep -Ri 'bad ownership or modes for directory' .

which gives us this

Code:

./openssh-7.2p2/regress/check-perm.c:	    "bad ownership or modes for directory %s", buf);
./openssh-7.2p2/auth.c:			    "bad ownership or modes for directory %s", buf);

Code:

f (stat(buf, &st) < 0 ||
            (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
            (st.st_mode & 022) != 0) {
            snprintf(err, errlen,
                "bad ownership or modes for directory %s", buf);
            return -1;
        }

maples · 05-23-2016, 09:39 PM

Quote:

Originally Posted by Turbocapitalist

It's so the key used for authentication cannot be overwritten by others.

Ok, that makes sense.

Quote:

Also, the user and group www-data are for privilege separation and should not have write access to anything in the web server's document root, except for special exceptions regarding individual files in certain CMSs. Adding write permission for www-data, as shown in #10 above, breaks the security model and is likely end up costing you in the medium to long term.

What problem were you trying to solve? If it was shared access to the web server's document root or other files, then a special group should be made for that and write access given to that new group instead of www-data.

It's my home server running in my basement. I wanted a way to be able to edit files in the /var/www/html/ folder (to edit the web pages) and that seemed like a solution. It's a single-user environment and I don't think that's going to ever change.

So if www-data shouldn't have write access, then who should? I don't want to give it to just root, for several reasons. (The biggest one being that I don't think I should have to log in as root just to edit HTML.) Should I give it to my user, or should I create a separate user just for that purpose?

Turbocapitalist · 05-23-2016, 09:59 PM

Quote:

Originally Posted by maples

It's my home server running in my basement. I wanted a way to be able to edit files in the /var/www/html/ folder (to edit the web pages) and that seemed like a solution. It's a single-user environment and I don't think that's going to ever change.

So if www-data shouldn't have write access, then who should? I don't want to give it to just root, for several reasons. (The biggest one being that I don't think I should have to log in as root just to edit HTML.) Should I give it to my user, or should I create a separate user just for that purpose?

You're right about not logging in as root for that. You should just give the files and directories to your user.

If you are the only user and only ever going to be the only user then it is enough to just chown it to your account and group. Then you can make as many changes as you want and www-data cannot write. Just make sure that the directories have o=rx and that files have o=r so that the web server can still read them.

If you would be moving to a simple multi-user environment, where more than one account would need to edit the web files, then you would just make a new group and apply that, along with the SetGID bit to the directories.

maples · 05-23-2016, 10:05 PM

Quote:

Originally Posted by Turbocapitalist

If you would be moving to a simple multi-user environment, where more than one account would need to edit the web files, then you would just make a new group and apply that, along with the SetGID bit to the directories.

How would I go about doing that? I had tried to do something like that earlier by making /var/www/html 775 ww-data:www-data and adding my user to the www-data group, but that didn't work (and caused the problems that led to this thread...)

I think you're saying that it should be a new group, not the www-data group.

I've heard very little about setuid, and never heard of setgid, so I'm going to head over to Google. But what would I need to do to implement what you suggested above?

Turbocapitalist · 05-24-2016, 01:37 AM

Quote:

Originally Posted by maples

I've heard very little about setuid, and never heard of setgid, so I'm going to head over to Google. But what would I need to do to implement what you suggested above?

Just pick a name for the new group and apply it. It could go something like this:

Code:

groupadd webmeisters
chown -R root:webmeisters /var/www/html/
find /var/www/html/ -type d -exec chmod u=rwx,g=rwxs,o=rx "{}" \;
find /var/www/html/ -type f -exec chmod u=rw,g=rw,o=r "{}" \;

That leaves any other directories under /var/www/ alone such as maybe /var/www/cgi-bin/
The two 'find' instance show the difference settings for files and directories.

(Numerically that would be 2775 in octal instead of u=rwx,g=rwxs,o=rx in symbolic mode. The symbolic mode works to unset the setgid bit also but the octal mode does not.)

The owner of the directories and files is not important as long as it is not www-data. You could leave that as maples, as long as the group is set to the shared group.

Then add users to the shared group.

Code:

gpasswd -a maples webmeisters

On most systems your 'umask' defaults to 0002, so that means files you create in the affected directories will be group writable by the group 'webmeisters'. Your account will be in the new group the next time you log in.

keefaz · 05-24-2016, 05:24 AM

mod_userdir could be simpler to use in an home config (and will not be affected by system upgrade, in case upgrade replaces all the /var/www config)

Server dir would be in anthony@poweredge1950

ublic_html, url would be http://poweredge1950/~anthony

maples · 05-24-2016, 08:03 AM

Quote:

Originally Posted by Turbocapitalist

Just pick a name for the new group and apply it. It could go something like this:

Code:

groupadd webmeisters
chown -R root:webmeisters /var/www/html/
find /var/www/html/ -type d -exec chmod u=rwx,g=rwxs,o=rx "{}" \;
find /var/www/html/ -type f -exec chmod u=rw,g=rw,o=r "{}" \;

So from what I found last night, the setGID bit will ensure that files created in that directory will have the same group as the parent directory. So any file that I create (with any user that has sufficient privileges to write) will have webmeisters as the group, right?

Quote:

Originally Posted by Turbocapitalist

On most systems your 'umask' defaults to 0002, so that means files you create in the affected directories will be group writable by the group 'webmeisters'. Your account will be in the new group the next time you log in.

I've never looked very closely at my umask before, but most of my files in ~/ (on several systems) are -rw-r--r--. On this Debian server, my umask is 0022:

Code:

anthony@poweredge1950:~$ umask
0022

Is there a way to set the umask only for a directory? (so any file I create in /var/www/html/ has umask 0002, but everywhere else is still 0022)
EDIT: Google informs me that you can't do that. So since I have a group for my user and all files I create in my home directory are anthony:anthony, is it any security risk to set umask to 0002?

Turbocapitalist · 05-24-2016, 08:46 AM

Quote:

Originally Posted by maples

So from what I found last night, the setGID bit will ensure that files created in that directory will have the same group as the parent directory. So any file that I create (with any user that has sufficient privileges to write) will have webmeisters as the group, right?

Yes.

Quote:

Originally Posted by maples

Is there a way to set the umask only for a directory? (so any file I create in /var/www/html/ has umask 0002, but everywhere else is still 0022)
EDIT: Google informs me that you can't do that. So since I have a group for my user and all files I create in my home directory are anthony:anthony, is it any security risk to set umask to 0002?

I was hoping not to have to think about ACLs, but they can do that and it's not possible any other way with the EXT file systems.

The part that I find confusing, aside from the ACLs themselves, is that umask is for the processes (e.g. your shell) not the file system.

Code:

setfacl -b -m group:webmeisters:rwx,d:group:webmeisters:rw- /var/www/html/

The -b clears any previous ACL for that directory before making the settings specified by -m, otherwise it can get cluttered when experimenting.

You can see what you have set with 'getfacl'

Code:

getfacl /var/www/html/

If you have a large business or organization with many users in your basement then you can consider OpenAFS, which has much easier way, but is harder to install.

maples · 05-24-2016, 11:54 AM

I think I'm going to stick with umasks for now, though ACLs look like something I should look into some day.

Theoretically, if this was a multi-user environment, would /etc/profile be an appropriate place to put the umask?

Turbocapitalist · 05-24-2016, 12:09 PM

Quote:

Originally Posted by maples

Theoretically, if this was a multi-user environment, would /etc/profile be an appropriate place to put the umask?

Yes, but a separate file in /etc/profile.d/ is better. If they are using bash, ksh, or zsh, then put a file in /etc/profile.d/ with a name you will recognize and have that contain the 'umask' setting. It will set umask for everyone with the main shells: bash, zsh, and ksh. The default is bash. It is always possible for the user to modify their own umask if even only for their current session.

maples · 05-24-2016, 12:22 PM

Awesome. I just made /etc/profile.d/my_umask.sh with "umask 0002" and that seemed to take care of it.

And the sshfs still works like I originally intended

Thank you!

Habitual · 05-24-2016, 01:33 PM

Quote:

Originally Posted by Turbocapitalist

Just pick a name for the new group and apply it. It could go something like this:

Code:

groupadd webmeisters
chown -R root:webmeisters /var/www/html/
find /var/www/html/ -type d -exec chmod u=rwx,g=rwxs,o=rx "{}" \;
find /var/www/html/ -type f -exec chmod u=rw,g=rw,o=r "{}" \;

That leaves any other directories under /var/www/ alone such as maybe /var/www/cgi-bin/
The two 'find' instance show the difference settings for files and directories.

(Numerically that would be 2775 in octal instead of u=rwx,g=rwxs,o=rx in symbolic mode. The symbolic mode works to unset the setgid bit also but the octal mode does not.)

The owner of the directories and files is not important as long as it is not www-data. You could leave that as maples, as long as the group is set to the shared group.

Then add users to the shared group.

Code:

gpasswd -a maples webmeisters

On most systems your 'umask' defaults to 0002, so that means files you create in the affected directories will be group writable by the group 'webmeisters'. Your account will be in the new group the next time you log in.

You really should stick this in your blog so I can find it readily.

I look for it a lot.

Turbocapitalist · 05-24-2016, 03:18 PM

Quote:

Originally Posted by Habitual

You really should stick this in your blog so I can find it readily.

I look for it a lot.

I'll see what I can do to polish it and make a blog entry of it. I'm not sure how slow or fast I can get to it though. Which terms or phrases would be most useful in helping find it again?

Turbocapitalist · 05-24-2016, 03:35 PM

Quote:

Originally Posted by maples

Awesome. I just made /etc/profile.d/my_umask.sh with "umask 0002" and that seemed to take care of it.

And the sshfs still works like I originally intended

Thank you!

You're welcome.

Turbocapitalist · 05-29-2016, 07:34 AM

Quote:

Originally Posted by Habitual

You really should stick this in your blog so I can find it readily.

I look for it a lot.

As per your suggestion, I've posted an entry: https://www.linuxquestions.org/quest...e-users-37043/

Let me know if there are any phrases or terms that you normally use when searching for it and I can add them.