[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Telnet/SSH simple user permissions

Subject: Re: [cobalt-security] Telnet/SSH simple user permissions
From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
Date: Wed, 12 Jun 2002 09:49:57 -0700
Organization: nobaloney.net
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Dave Anders wrote:

>   I changed the permissions without any success.
>   Every siteadmin/siteuser is still able to enter into
>   all site directories. They can read and copy but have
>   no write permissions.

What did you change permissions to?  You get to control the permissions:

For example:

-rw-rw-r--   1 admin    home         5469 May  9  2001 index.html

Let's take those first ten single-character columns one at a time:

The first column is "l" for a link, "-" for a regular file, and "d" for
a directory.

The next three columns set the permissions for the file owner; the next
three after that set the permissions for the group the file belongs to,
and the third three for the rest of the world.

So let's look at a rather standard "-rw-rw-r--" for the index.html file:

The owner gets to read and write the file, anyone belonging to the
"home" group get's to read and write the file, and the rest of the world
gets to read the file.

Sure, you can turn off that last "r" and make the permissions
"-rw-rw----" but if you do no one can see the files from the Internet;
the Internet is the rest of the world.

You can create a much more secure server, in which the files would look
like this:

-rw-------   1 httpd    httpd         5469 May  9  2001 index.html

or even

-r--------   1 httpd    httpd         5469 May  9  2001 index.html

But then you'd have to maintain the website by hand from a shell
account, and you'd have to have httpd privileges to do it.

You could probably develop a system something like this:

-rw-r-----   1 joe     httpd          5469 May  9  2001 index.html

Where joe is the site admin. There'd be a bunch of other issues; most
importantly you couldn't have multiple siteadmins.

It's possible, but not easily done on a Cobalt Raq.

Shared hosting has it's limitations, based on the simple point that the
world has to be able to read the files to see the website.

Jeff
-- 
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net, P. O. Box 52672, Riverside, CA  92517
voice: +1 909 778-9980  *  fax: +1 909 548-9484

References:
- [cobalt-security] Telnet/SSH simple user permissions
  - From: Dave Anders

Prev by Date: RE: [cobalt-security] Re: cobalt-security digest, Vol 1 #797 - 1 msg
Next by Date: [cobalt-security] SSH vs. .htaccess
Previous by thread: [cobalt-security] Telnet/SSH simple user permissions
Next by thread: [cobalt-security] Telnet/SSH simple user permissions

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index