Re: securing /var/www or web content
There is the option of POSIX access control lists. Deny remote login
for the users you want to have access to the webroot and add them to
the access control list. For remote users, deny access. Now, if you
want to have users log in remotely and not be able to access those
files, then the only solution I can see is to give each user two
logins, one for remote login with lesser permissions and local only
accounts with more permissions.
For more on access control lists, SUSE has a good overview here:
http://www.suse.de/~agruen/acl/linux-acls/online/
To see if your filesystem supports ACLs, you can "grep ACL
/boot/config-<kernel-version>". On my system here running SID and
2.6.15-1-k7, these modules are enabled.
CONFIG_EXT2_FS_POSIX_ACL=y
CONFIG_EXT3_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_JFS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m
To enable ACLs, you just need to add the acl option in your fstab for
that partition.
Hope that helps!
Daniel
On 2/26/06, Sels, Roger <roger.sels@gov-fbi.net> wrote:
> Olivier,
>
> How is that going to solve the problem?
> His user doesn't have /var/www as a home ; the issue is /var/www is
> world-readable/writeable/executable.
>
> The files in your /var/www should strictly speaking only be accessible to
> your webserver ; for apache usually www-data or apache or httpd accounts
> should have rwx permissions.
> Grep for these in /etc/passwd if unsure which one to use.
>
> You could then set the permissions to xy0 for /var/www with chmod.
> Test, if your site doesn't funtion adequately anymore, set the permissions
> for "other" to "r"(4) only.
> So for instance: chmod -R 770 www-data:www-data (www-data is the account
> under which the apache daemon runs on Debian).
>
> Check out: man chmod
> man chrgrp
>
> Have fun
>
> Roger
>
> On Mon, February 27, 2006 1:44 am, Olivier Papauré said:
> > You can try to create a user with useradd and the -d option.
> >
> >>From man useradd :
> >
> > "The options which apply to the useradd command are:
> >
> > -d home_dir
> > The new user will be created using home_dir as the value for
> > the
> > user's login directory. The default is to append the login
> > name
> > to default_home and use that as the login directory name."
> >
> >
> >
> >
> > --
> > Debian Addict site : http://www.debianaddict.org
> >
> >
> > 2006/2/25, Arnel Pastrana <arnelgp@aiias.edu>:
> >>
> >> Hi,
> >>
> >> May I know what are the possibilities to secure the content of my www
> >> folder?
> >>
> >> I want my local user to access because right now when login as an
> >> ordinary user using ssh i can delete the content of my www folder.
> >>
> >> What will I do? any idea?
> >>
> >> Thank you,
> >>
> >> Arnel Pastrana
> >> arnelgp@gmail.com
> >> " The key is not to prioritize your shedule but to prioritize your
> >> priorities." --- Stephen R Covey
> >>
> >>
> >>
> >> --
> >> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> >> with a subject of "unsubscribe". Trouble? Contact
> >> listmaster@lists.debian.org
> >>
> >>
> >
>
>
> --
> Life is 10 percent what you make it and 90 percent how you take it. -
> Irving Berlin
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: