[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Telnet/SSH simple user permissions
- Subject: [cobalt-security] Telnet/SSH simple user permissions
- From: Dave Anders <hostmaster@xxxxxxxxxxxxx>
- Date: Wed, 12 Jun 2002 14:23:48 -0400
- Organization: Deltaphon Multimedia GmbH
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Jeff,
I changed
drwxr-xr-x 7 nobody home 4096 Mar 13 11:15
/home/sites/home
to
drwxr-xr-x 7 admin home 4096 Mar 13 11:15
/home/sites/home
(Command chown -R admin home)
The problem belongs to this home directory and all site directories
(site1, site2, site 3 ... site 75 ...)
User alfred or peter is able to enter into that directory using the
UNIX command cd /home/sites/home successfully.
No permission denied message at all.
Why is alfred allowed to enter into a directory which is
owned by admin.
It seems to me I have to fix that problem manually.
Since 1997 I'm working with Linux Red Hat.
I've never seen such Linux configuration before.
Thank you,
Dave
----- Original Message -----
From: "Jeff Lasman" <jblists@xxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Wednesday, June 12, 2002 6:49 PM
Subject: Re: [cobalt-security] Telnet/SSH simple user permissions
> Dave Anders wrote:
>
> > I changed the permissions without any success.
> > Every siteadmin/siteuser is still able to enter into
> > all site directories. They can read and copy but have
> > no write permissions.
>
> What did you change permissions to? You get to control the
permissions:
>
> For example:
>
> -rw-rw-r-- 1 admin home 5469 May 9 2001 index.html
>
> Let's take those first ten single-character columns one at a time:
>
> The first column is "l" for a link, "-" for a regular file, and "d"
for
> a directory.
>
> The next three columns set the permissions for the file owner; the
next
> three after that set the permissions for the group the file belongs
to,
> and the third three for the rest of the world.
>
> So let's look at a rather standard "-rw-rw-r--" for the index.html
file:
>
> The owner gets to read and write the file, anyone belonging to the
> "home" group get's to read and write the file, and the rest of the
world
> gets to read the file.
>
> Sure, you can turn off that last "r" and make the permissions
> "-rw-rw----" but if you do no one can see the files from the
Internet;
> the Internet is the rest of the world.
>
> You can create a much more secure server, in which the files would
look
> like this:
>
> -rw------- 1 httpd httpd 5469 May 9 2001 index.html
>
> or even
>
> -r-------- 1 httpd httpd 5469 May 9 2001 index.html
>
> But then you'd have to maintain the website by hand from a shell
> account, and you'd have to have httpd privileges to do it.
>
> You could probably develop a system something like this:
>
> -rw-r----- 1 joe httpd 5469 May 9 2001 index.html
>
> Where joe is the site admin. There'd be a bunch of other issues;
most
> importantly you couldn't have multiple siteadmins.
>
> It's possible, but not easily done on a Cobalt Raq.
>
> Shared hosting has it's limitations, based on the simple point that
the
> world has to be able to read the files to see the website.
>
> Jeff
> --
> Jeff Lasman <jblists@xxxxxxxxxxxxx>
> Linux and Cobalt/Sun/RaQ Consulting
> nobaloney.net, P. O. Box 52672, Riverside, CA 92517
> voice: +1 909 778-9980 * fax: +1 909 548-9484
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>