[NBLUG/talk] Permissions question
Todd Cary
todd at aristesoftware.com
Fri Oct 17 17:33:01 PDT 2003
Yup! There it is plain as day....
Now for a security question:
If I set the permissions of /home/httpd to drwxrwxr-x, he can change to
the directory, but he or anyone can execute a file. Is this a risky
thing to do in a ftp directory?
chroot local_users=YES
Todd
Mark Street wrote:
>UNIX mantra states that the user/group ownership/permissions on a
>directory dictate the access and permissions to the subdirectories and
>files under it.
>
>There is no way poor brianpics can chdir into his home dir when he logs
>in because the permissions on /home/httpd dir restrict him from changing
>to his home dir. You have 3 or more choices...
>
>1. Move his home dir to a more compliant place in the filesystem.
>2. Add him to the adm group.
>3. Change ownership && || perms on the /home/httpd dir.
>
>May I suggest you take a look at the Linux Filesystem Hierarchy Standard
>and the Linux Security HOWTO - Files and Filesystem Security.
>
>On Fri, 17 Oct 2003, Todd Cary wrote:
>
>
>>/etc/passwd: brianpics:x:515:100:brianpics:/home/httpd/brianpics:/bin/bash
>>
>>id brianpics: uid=515(brianpics) gid=100(users)
>>groups=100(users),515(brianpics)
>>
>>/home/httpd permissions: owner - apache; group - adm; permissions -
>>drwxrwxr--
>>
>>At this time I have
>>
>>chroot local_users=YES
>>
>>to restrict all users, but I will implement the list in the future.
>>
>>Running RH 9, is user "adm" a default? I do not remember setting that up.
>>
>><<< adm:x:3:4:adm:/var/adm:/sbin/nologin >>>
>>
>>Many thanks.........
>>
>>Todd
>>
>>
>>Mark Street wrote:
>>
>>
>>
>>>Let's see brianpics entry in /etc/passwd,
>>>
>>>and the output from the command
>>>
>>>id brianpics
>>>
>>>What are the full permissions on /home/httpd directory?
>>>For brianpics directory the perms can be more restrictive 750 or even 700.
>>>
>>>>From /etc/vsftpd/vsftpd.conf, uncomment as I have done here. Of course my
>>>config may be different than yours..
>>>
>>># You may specify an explicit list of local users to chroot() to their home
>>># directory. If chroot_local_user is YES, then this list becomes a list of
>>># users to NOT chroot().
>>>chroot_list_enable=YES
>>># (default follows)
>>>chroot_list_file=/etc/vsftpd.chroot_list
>>>#
>>>
>>>Create the file vsftpd.chroot_list file and put the users login name in it.
>>>
>>>then run as root
>>>
>>>service vsftpd restart
>>>
>>>login as your user.... ftp chroot jail...
>>>
>>>On Friday 17 October 2003 07:45, Todd Cary wrote:
>>>
>>>
>>>
>>>
>>>>Mark -
>>>>
>>>><<<
>>>>ServerRoot /etc/httpd or DocumentRoot /home/httpd/html
>>>>
>>>>
>>>>ServerRoot /etc/httpd
>>>>
>>>><<<
>>>>
>>>>DocumentRoot /home/httpd/html
>>>>
>>>><<<
>>>>theApache 1.3* or Apache 2 ??
>>>>
>>>>What ftp server are you using?
>>>>
>>>>
>>>>Apache 2.
>>>>VsFtp
>>>>
>>>><<<
>>>>Why do you set the group to adm on the brianpics dir, set it to the
>>>>owner and
>>>>
>>>>If I set the group to the ownder, brianpics, I cannot login. Why?
>>>>
>>>>Here is the confusing part for me:
>>>>
>>>>The users home directory is /home/httpd/brianpics and the privileges are
>>>>drwxrwxr-- and the directory is owned by brianpics. The ftp error is
>>>>"500 OOPS: chdir" on attempting login.
>>>>
>>>>chdir from where to where?
>>>>
>>>>Sorry if this has an obvious answer that I am just missing, but......
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>--
>>
>>_______________________________________________
>>talk mailing list
>>talk at nblug.org
>>http://nblug.org/mailman/listinfo/talk
>>
>>
>>
>>
>_______________________________________________
>talk mailing list
>talk at nblug.org
>http://nblug.org/mailman/listinfo/talk
>
>
>
>
--
More information about the talk
mailing list