[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] Telnet/SSH simple user permissions

Subject: RE: [cobalt-security] Telnet/SSH simple user permissions
From: "Graeme Fowler" <graeme.fowler@xxxxxxxxxxxxxx>
Date: Thu, 13 Jun 2002 09:36:18 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Dave Anders wrote:
> I changed
> drwxr-xr-x   7 nobody    home         4096 Mar 13 11:15
> /home/sites/home
> to
> drwxr-xr-x   7 admin    home         4096 Mar 13 11:15
> /home/sites/home
> (Command chown -R admin home)

OK, care required here...
<snip>
> User alfred or peter is able to enter into that directory using the
> UNIX command cd /home/sites/home successfully.

Yes they are, because 'everybody' has read and execute (or search) privileges. That's what the drwxr-xr-x means, as Jeff explained earlier.

Sure, you could take the permissions off, but that would render your webserver inoperable. Also, by making that change you've probably rendered FTP and FrontPage uploads inoperable too.

I know this has been explained previously, but I'll reiterate it: ALL files on the system which need to be reachable from a web browser via the Apache server MUST have permissions for 'everybody' to access them. Not to write them, necessarily (as that's obviously bad) but certainly to read & execute them.

> Why is alfred allowed to enter into a directory which is
> owned by admin.

See above. They have permission to, regardless of owner.

> Since 1997 I'm working with Linux Red Hat.
> I've never seen such Linux configuration before.

I've been working with various flavours of UNIX since about that time too, and also with Macs, Windows systems, and so on. This is a fundamental setting issue with webservers on multi-user systems: the webserver runs as a specific user (nobody, www, apache, whatever). That user MUST be able to read the files in the website directories. That means _either_ the webserver user must be in all the relevant groups (messy, potentially fatal as the groups file or group entries can grow too large), or all web users must be in the same group as the webserver user (same problems); or all web directories *and the paths to them* must be readable by that user. That means 'everybody', since we already discounted the groups.

HTH

Graeme
-- 
Graeme Fowler
System Administrator
Host Europe Group PLC

Prev by Date: Re: [cobalt-security] Admin SSH
Next by Date: [cobalt-security] adm_error log
Previous by thread: Re: [cobalt-security] Telnet/SSH simple user permissions
Next by thread: [cobalt-security] Re: cobalt-security digest, Vol 1 #797 - 1 msg

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index