Hello Everyone,
How do I add myself as co-owner of a directory? I set up a new apache server and need to transfer files to /var/www/html. The problem is, of course, I've denied root login but don't have sufficient privs to login and transfer files under my username.
How can I fix this?
Thanks, Anthony
Am 20.06.2013 05:17, schrieb Anthony:
How do I add myself as co-owner of a directory? I set up a new apache server and need to transfer files to /var/www/html. The problem is, of course, I've denied root login but don't have sufficient privs to login and transfer files under my username.
How can I fix this?
man chown man chgrp man setfacl
generally the files should not be owned by apache and only writeable by the owner, in your case you
from point of security it is very bad if the webserver has write-permissions because it may lead after a small breach in manipulated files wide opening the doors
On 06/19/2013 10:19 PM, Reindl Harald wrote:
Am 20.06.2013 05:17, schrieb Anthony:
How do I add myself as co-owner of a directory? I set up a new apache server and need to transfer files to /var/www/html. The problem is, of course, I've denied root login but don't have sufficient privs to login and transfer files under my username.
How can I fix this?
man chown man chgrp man setfacl
generally the files should not be owned by apache and only writeable by the owner, in your case you
from point of security it is very bad if the webserver has write-permissions because it may lead after a small breach in manipulated files wide opening the doors
Thank you. In my case, it looked like root was one of the owners of the directory but apache wasn't. The owners were listed as root and me. But I couldn't write to it.
I did a chown anthony: /var/www/html and that seems to have given me write privs since I'm now the owner. I couldn't find the man page for setfacl but I'll dig around the net and see if I can find it.
In the meantime, I'm assuming simply taking ownership of the directory shouldn't open any security holes, right?
Thanks for the quick help!
anthony
Allegedly, on or about 19 June 2013, Anthony sent:
In my case, it looked like root was one of the owners of the directory but apache wasn't.
That's the usual approach. It means that, by default, nobody can mess with your webserver files (local users, nor strangers over the WWW), unless they have significant privileges to either log-in differently, or to change the directory structure to something else.
In the meantime, I'm assuming simply taking ownership of the directory shouldn't open any security holes, right?
Nothing springs to mind, so long as you keep your own account safe and secure.
On a computer either owned by one person, or a webservice managed by one person, common simple solutions are to change ownership, or group-ownership of the files to the account of the person being webmaster. Or one could set up a new webmaster user account, and use that separately from their own account.
On my computer, that I use a test bed for websites, I left the /var/www/html/ as default, and set up new directory paths for virtual hosts (for each domain name that I set up a test website), and I own the directories and files in those different locations. Any connections to the webserver using the wrong address, or just the IP, get the default website, which works as an error page.
e.g. If you ran WWW sites www.example.com and www.example.net, you might run local test sites from /var/www/example.com/ /var/www/example.net/, with configuration files that associated the website address with those separate directories.
Of course, if you use SELinux, you need to check on the contexts being applied. And any that are re-applied, if you do a default relabel.
On 20 June 2013 04:42, Anthony lists@cajuntechie.org wrote:
On 06/19/2013 10:19 PM, Reindl Harald wrote:
Am 20.06.2013 05:17, schrieb Anthony:
How do I add myself as co-owner of a directory? I set up a new apache server and need to transfer files to /var/www/html. The problem is, of course, I've denied root login but don't have sufficient privs to login and transfer files under my username.
How can I fix this?
man chown man chgrp man setfacl
generally the files should not be owned by apache and only writeable by the owner, in your case you
from point of security it is very bad if the webserver has write-permissions because it may lead after a small breach in manipulated files wide opening the doors
Thank you. In my case, it looked like root was one of the owners of the directory but apache wasn't. The owners were listed as root and me. But I couldn't write to it.
I did a chown anthony: /var/www/html and that seems to have given me write privs since I'm now the owner. I couldn't find the man page for setfacl but I'll dig around the net and see if I can find it.
Just spotted this, so apologies if I've missed some other context, but to pick up on something you said here: It's very unsual to have two owners for a file or directory. It might be possible on some filesystems, but not normal Linux FS. I think you might be misinterpreting the ls -l output of something like (on this RHEL machine), $ls /var/lib/mlocate/ -lhd drwxr-x---. 2 root slocate 4.0K Jun 20 03:26 /var/lib/mlocate/
Where the second name indicates group, not a second owner. Group members are subject to the group permisions, here slocate doesn't have write access to this directory. As a normal user not in the group I don't have read or write access.
In the meantime, I'm assuming simply taking ownership of the directory shouldn't open any security holes, right?
Well, weakening permissions always has some security implications, but as Harald said it's actually having the web server with write permission that is the thing to avoid. A separate group able to write to the www directory is the right way to do this, if only one user needs it then ownership instead is equivalent.
On Thu, 2013-06-20 at 14:30 +0100, Ian Malone wrote:
On 20 June 2013 04:42, Anthony lists@cajuntechie.org wrote:
On 06/19/2013 10:19 PM, Reindl Harald wrote:
Am 20.06.2013 05:17, schrieb Anthony:
How do I add myself as co-owner of a directory? I set up a new apache server and need to transfer files to /var/www/html. The problem is, of course, I've denied root login but don't have sufficient privs to login and transfer files under my username.
How can I fix this?
man chown man chgrp man setfacl
generally the files should not be owned by apache and only writeable by the owner, in your case you
from point of security it is very bad if the webserver has write-permissions because it may lead after a small breach in manipulated files wide opening the doors
Thank you. In my case, it looked like root was one of the owners of the directory but apache wasn't. The owners were listed as root and me. But I couldn't write to it.
I did a chown anthony: /var/www/html and that seems to have given me write privs since I'm now the owner. I couldn't find the man page for setfacl but I'll dig around the net and see if I can find it.
Just spotted this, so apologies if I've missed some other context, but to pick up on something you said here: It's very unsual to have two owners for a file or directory. It might be possible on some filesystems, but not normal Linux FS. I think you might be misinterpreting the ls -l output of something like (on this RHEL machine), $ls /var/lib/mlocate/ -lhd drwxr-x---. 2 root slocate 4.0K Jun 20 03:26 /var/lib/mlocate/
Where the second name indicates group, not a second owner. Group members are subject to the group permisions, here slocate doesn't have write access to this directory. As a normal user not in the group I don't have read or write access.
In the meantime, I'm assuming simply taking ownership of the directory shouldn't open any security holes, right?
Well, weakening permissions always has some security implications, but as Harald said it's actually having the web server with write permission that is the thing to avoid. A separate group able to write to the www directory is the right way to do this, if only one user needs it then ownership instead is equivalent.
A nice solution to this problem is described in the Red Hat documentation for "user private groups", which is how Fedora manages user groups anyway. We have the Web server as a member of a group of users that owns the html directory, along with other users who need to maintain it. Properly implemented, this seems to work well. Google "user private groups" for details.
HI
Is this your box? Or it belongs to some service?
You need to be owner or group...
How you do that depends on who you are.
Marvin
On Wed, Jun 19, 2013 at 8:17 PM, Anthony lists@cajuntechie.org wrote:
Hello Everyone,
How do I add myself as co-owner of a directory? I set up a new apache server and need to transfer files to /var/www/html. The problem is, of course, I've denied root login but don't have sufficient privs to login and transfer files under my username.
How can I fix this?
Thanks, Anthony
-- Anthony Papillion Phone: 1.918.533.9699 SIP: sip:cajuntechie@iptel.org iNum: +883510008360912 XMPP: cypherpunk38@jit.si
www.cajuntechie.org
users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
On Wed, Jun 19, 2013 at 8:17 PM, Anthony lists@cajuntechie.org wrote:
Hello Everyone,
How do I add myself as co-owner of a directory? I set up a new apache server and need to transfer files to /var/www/html. The problem is, of course, I've denied root login but don't have sufficient privs to login and transfer files under my username.
How can I fix this?
There are a few ways to go about this. There are lots of ways to control access to files and directories on Linux systems. ;-)
You could create a group with permissions to edit the directory, and add yourself to it:
# create an 'htmleditors' group groupadd htmleditors # add 'anthony' to it usermod -aG htmleditors anthony # change the directory to be owned by the group chgrp -R htmleditors /var/www/html # grant read/write permissions to the group chmod -R g+rw /var/www/html
Or you can use POSIX ACLs to just give yourself access:
# give 'anthony' Read/Write/eXecute permissions on all files in /var/www/html setfacl -R -m u:anthony:rwX /var/www/html # do the same for directories find /var/www/html -type d | xargs setfacl -R -m d:u:anthony:rwX
You can even combine the two:
groupadd htmleditors usermod -aG htmleditors anthony setfacl -R -m g:htmleditors:rwX /var/www/html find /var/www/html -type d | xargs setfacl -R -m d:g:htmleditors:rwX
See the man pages for the various commands used for more information about what exactly is going on.
-T.C.
Allegedly, on or about 19 June 2013, Anthony sent:
The problem is, of course, I've denied root login but don't have sufficient privs to login and transfer files under my username.
Sounds like an underlying problem, here, of understanding the filesystem, more than just having a problem with Apache.
By "denying root logins," do you mean that you can't login as the root user, in the same way that you would login as yourself? That's normal, for graphical logins. Not normal for command line interfaces.
Don't try logging in as root. Open up a terminal, and switchover to the root user, do what changes you need to make, then switch back to yourself.
For example:
[tim@server ~]$ su - Password: [root@server ~]# chgrp tim /var/www/html [root@server ~]# ls -ld /var/www/html drwxr-xr-x 2 root tim 4096 Sep 19 2007 /var/www/html/ [root@server ~]# logout [tim@server ~]$ cp testpage.html /var/www/html/ [tim@server ~]# cd /var/www/html [tim@server html]# gvim homepage.html
That's just one approach of giving myself access, of checking that it worked, then starting to do things in that directory as myself.
The "su" command is a "switch user" command, or "substitute user." Over the years the letters have been said to stand for various things, so concern yourself with what it does, more than what it might stand for. The dash, after it, gives you the usual shell environment for the user that you're going to switch to, rather than carrying on using your own (it's an abbreviation for "-l" or "--login". And in the absence of typing in a username after it, too, you'll switch to being the root user.
i.e. "su -" or "su -l" or "su --login" or "su -l root" all do the same thing. See the man file for su.
-
Anthony -
Ian Malone -
Marvin Kosmal -
Matthew Saltzman -
Reindl Harald -
T.C. Hollingsworth -
Tim