[NBLUG/talk] Permissions question

Todd Cary todd at aristesoftware.com
Fri Oct 17 17:33:01 PDT 2003


Yup!  There it is plain as day....

Now for a security question:

If I set the permissions of /home/httpd to drwxrwxr-x, he can change to 
the directory, but he or anyone can execute a file.  Is this a risky 
thing to do in a ftp directory?

chroot local_users=YES

Todd

Mark Street wrote:

>UNIX mantra states that the user/group ownership/permissions on a
>directory dictate the access and permissions to the subdirectories and
>files under it.
>
>There is no way poor brianpics can chdir into his home dir when he logs
>in because the permissions on /home/httpd dir restrict him from changing
>to his home dir.  You have 3 or more choices...
>
>1.  Move his home dir to a more compliant place in the filesystem.
>2.  Add him to the adm group.
>3.  Change ownership && || perms on the /home/httpd dir.
>
>May I suggest you take a look at the Linux Filesystem Hierarchy Standard
>and the Linux Security HOWTO - Files and Filesystem Security.
>
>On Fri, 17 Oct 2003, Todd Cary wrote:
>  
>
>>/etc/passwd: brianpics:x:515:100:brianpics:/home/httpd/brianpics:/bin/bash
>>
>>id brianpics: uid=515(brianpics) gid=100(users)
>>groups=100(users),515(brianpics)
>>
>>/home/httpd permissions: owner - apache; group - adm; permissions -
>>drwxrwxr--
>>
>>At this time I have
>>
>>chroot local_users=YES
>>
>>to restrict all users, but I will implement the list in the future.
>>
>>Running RH 9, is user "adm" a default?  I do not remember setting that up.
>>
>><<< adm:x:3:4:adm:/var/adm:/sbin/nologin >>>
>>
>>Many thanks.........
>>
>>Todd
>>
>>
>>Mark Street wrote:
>>
>>    
>>
>>>Let's see brianpics entry in /etc/passwd,
>>>
>>>and the output from the command
>>>
>>>id brianpics
>>>
>>>What are the full permissions on /home/httpd directory?
>>>For brianpics directory the perms can be more restrictive 750 or even 700.
>>>
>>>>From /etc/vsftpd/vsftpd.conf, uncomment as I have done here.  Of course my
>>>config may be different than yours..
>>>
>>># You may specify an explicit list of local users to chroot() to their home
>>># directory. If chroot_local_user is YES, then this list becomes a list of
>>># users to NOT chroot().
>>>chroot_list_enable=YES
>>># (default follows)
>>>chroot_list_file=/etc/vsftpd.chroot_list
>>>#
>>>
>>>Create the file vsftpd.chroot_list file and put the users login name in it.
>>>
>>>then run as root
>>>
>>>service vsftpd restart
>>>
>>>login as your user.... ftp chroot jail...
>>>
>>>On Friday 17 October 2003 07:45, Todd Cary wrote:
>>>
>>>
>>>      
>>>
>>>>Mark -
>>>>
>>>><<<
>>>>ServerRoot /etc/httpd or DocumentRoot /home/httpd/html
>>>>
>>>>
>>>>ServerRoot /etc/httpd
>>>>
>>>><<<
>>>>
>>>>DocumentRoot /home/httpd/html
>>>>
>>>><<<
>>>>theApache 1.3* or Apache 2 ??
>>>>
>>>>What ftp server are you using?
>>>>
>>>>
>>>>Apache 2.
>>>>VsFtp
>>>>
>>>><<<
>>>>Why do you set the group to adm on the brianpics dir, set it to the
>>>>owner and
>>>>
>>>>If I set the group to the ownder, brianpics, I cannot login.  Why?
>>>>
>>>>Here is the confusing part for me:
>>>>
>>>>The users home directory is /home/httpd/brianpics and the privileges are
>>>>drwxrwxr-- and the directory is owned by brianpics.  The ftp error is
>>>>"500 OOPS: chdir" on attempting login.
>>>>
>>>>chdir from where to where?
>>>>
>>>>Sorry if this has an obvious answer that I am just missing, but......
>>>>
>>>>
>>>>        
>>>>
>>>
>>>      
>>>
>>--
>>
>>_______________________________________________
>>talk mailing list
>>talk at nblug.org
>>http://nblug.org/mailman/listinfo/talk
>>
>>
>>    
>>
>_______________________________________________
>talk mailing list
>talk at nblug.org
>http://nblug.org/mailman/listinfo/talk
>
>
>  
>

-- 




More information about the talk mailing list