[SOLVED] Stuck on SSH public key authentication for www-data
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
./openssh-7.2p2/regress/check-perm.c: "bad ownership or modes for directory %s", buf);
./openssh-7.2p2/auth.c: "bad ownership or modes for directory %s", buf);
It's so the key used for authentication cannot be overwritten by others.
Ok, that makes sense.
Quote:
Also, the user and group www-data are for privilege separation and should not have write access to anything in the web server's document root, except for special exceptions regarding individual files in certain CMSs. Adding write permission for www-data, as shown in #10 above, breaks the security model and is likely end up costing you in the medium to long term.
What problem were you trying to solve? If it was shared access to the web server's document root or other files, then a special group should be made for that and write access given to that new group instead of www-data.
It's my home server running in my basement. I wanted a way to be able to edit files in the /var/www/html/ folder (to edit the web pages) and that seemed like a solution. It's a single-user environment and I don't think that's going to ever change.
So if www-data shouldn't have write access, then who should? I don't want to give it to just root, for several reasons. (The biggest one being that I don't think I should have to log in as root just to edit HTML.) Should I give it to my user, or should I create a separate user just for that purpose?
It's my home server running in my basement. I wanted a way to be able to edit files in the /var/www/html/ folder (to edit the web pages) and that seemed like a solution. It's a single-user environment and I don't think that's going to ever change.
So if www-data shouldn't have write access, then who should? I don't want to give it to just root, for several reasons. (The biggest one being that I don't think I should have to log in as root just to edit HTML.) Should I give it to my user, or should I create a separate user just for that purpose?
You're right about not logging in as root for that. You should just give the files and directories to your user.
If you are the only user and only ever going to be the only user then it is enough to just chown it to your account and group. Then you can make as many changes as you want and www-data cannot write. Just make sure that the directories have o=rx and that files have o=r so that the web server can still read them.
If you would be moving to a simple multi-user environment, where more than one account would need to edit the web files, then you would just make a new group and apply that, along with the SetGID bit to the directories.
If you would be moving to a simple multi-user environment, where more than one account would need to edit the web files, then you would just make a new group and apply that, along with the SetGID bit to the directories.
How would I go about doing that? I had tried to do something like that earlier by making /var/www/html 775 ww-data:www-data and adding my user to the www-data group, but that didn't work (and caused the problems that led to this thread...)
I think you're saying that it should be a new group, not the www-data group.
I've heard very little about setuid, and never heard of setgid, so I'm going to head over to Google. But what would I need to do to implement what you suggested above?
I've heard very little about setuid, and never heard of setgid, so I'm going to head over to Google. But what would I need to do to implement what you suggested above?
Just pick a name for the new group and apply it. It could go something like this:
That leaves any other directories under /var/www/ alone such as maybe /var/www/cgi-bin/
The two 'find' instance show the difference settings for files and directories.
(Numerically that would be 2775 in octal instead of u=rwx,g=rwxs,o=rx in symbolic mode. The symbolic mode works to unset the setgid bit also but the octal mode does not.)
The owner of the directories and files is not important as long as it is not www-data. You could leave that as maples, as long as the group is set to the shared group.
Then add users to the shared group.
Code:
gpasswd -a maples webmeisters
On most systems your 'umask' defaults to 0002, so that means files you create in the affected directories will be group writable by the group 'webmeisters'. Your account will be in the new group the next time you log in.
So from what I found last night, the setGID bit will ensure that files created in that directory will have the same group as the parent directory. So any file that I create (with any user that has sufficient privileges to write) will have webmeisters as the group, right?
Quote:
Originally Posted by Turbocapitalist
On most systems your 'umask' defaults to 0002, so that means files you create in the affected directories will be group writable by the group 'webmeisters'. Your account will be in the new group the next time you log in.
I've never looked very closely at my umask before, but most of my files in ~/ (on several systems) are -rw-r--r--. On this Debian server, my umask is 0022:
Code:
anthony@poweredge1950:~$ umask
0022
Is there a way to set the umask only for a directory? (so any file I create in /var/www/html/ has umask 0002, but everywhere else is still 0022)
EDIT: Google informs me that you can't do that. So since I have a group for my user and all files I create in my home directory are anthony:anthony, is it any security risk to set umask to 0002?
So from what I found last night, the setGID bit will ensure that files created in that directory will have the same group as the parent directory. So any file that I create (with any user that has sufficient privileges to write) will have webmeisters as the group, right?
Yes.
Quote:
Originally Posted by maples
Is there a way to set the umask only for a directory? (so any file I create in /var/www/html/ has umask 0002, but everywhere else is still 0022)
EDIT: Google informs me that you can't do that. So since I have a group for my user and all files I create in my home directory are anthony:anthony, is it any security risk to set umask to 0002?
I was hoping not to have to think about ACLs, but they can do that and it's not possible any other way with the EXT file systems. The part that I find confusing, aside from the ACLs themselves, is that umask is for the processes (e.g. your shell) not the file system.
The -b clears any previous ACL for that directory before making the settings specified by -m, otherwise it can get cluttered when experimenting.
You can see what you have set with 'getfacl'
Code:
getfacl /var/www/html/
If you have a large business or organization with many users in your basement then you can consider OpenAFS, which has much easier way, but is harder to install.
Theoretically, if this was a multi-user environment, would /etc/profile be an appropriate place to put the umask?
Yes, but a separate file in /etc/profile.d/ is better. If they are using bash, ksh, or zsh, then put a file in /etc/profile.d/ with a name you will recognize and have that contain the 'umask' setting. It will set umask for everyone with the main shells: bash, zsh, and ksh. The default is bash. It is always possible for the user to modify their own umask if even only for their current session.
That leaves any other directories under /var/www/ alone such as maybe /var/www/cgi-bin/
The two 'find' instance show the difference settings for files and directories.
(Numerically that would be 2775 in octal instead of u=rwx,g=rwxs,o=rx in symbolic mode. The symbolic mode works to unset the setgid bit also but the octal mode does not.)
The owner of the directories and files is not important as long as it is not www-data. You could leave that as maples, as long as the group is set to the shared group.
Then add users to the shared group.
Code:
gpasswd -a maples webmeisters
On most systems your 'umask' defaults to 0002, so that means files you create in the affected directories will be group writable by the group 'webmeisters'. Your account will be in the new group the next time you log in.
You really should stick this in your blog so I can find it readily.
I look for it a lot.
You really should stick this in your blog so I can find it readily.
I look for it a lot.
I'll see what I can do to polish it and make a blog entry of it. I'm not sure how slow or fast I can get to it though. Which terms or phrases would be most useful in helping find it again?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.