public_html chmod problems
- Thread starter l0rdphi1
- Start date
- Joined
- Feb 27, 2003
- Messages
- 8,525
The group of the public_html is supposed to be set to apache.. is it not working? It was changed for security reasons, so that the public_html directory wasn't readable by anyone, only user and apache, so if the open_basedir was enabled nobody could read others' files.
John
John
- Joined
- Feb 27, 2003
- Messages
- 8,525
I'm considering changing it back to the standard 711 user:user intead of 710 user:apache ... which is causing more problems that it's worth. Thoughts? ... people could read other peoples files though.
John
John
- Joined
- Feb 27, 2003
- Messages
- 8,525
I've added it to the versions system. Do we want 755 or 711 though. I believe that 711 won't allow for directory indexing on the document root, but would be more secure.. they can always change it. 755 will work no matter what, but others can read the directory.
John
John
nobaloney
NoBaloney Internet Svcs - In Memoriam †
First help me understand what we're talking about...
On my pre-existing site nobaloney.net site (RHL 7.3), my public_html directory looks like this:
drwxr-xr-x 14 nobalone nobalone 4096 Mar 2 22:03 public_html
And my understanding is it always should be this way.
Phil, what do you mean by "it was created by 'apache' but is owned by 'admin'"? I don't see any argument to ls that will tell you who created the directory.
John, what do you mean by "The group of the public_html is supposed to be set to apache"? Is this a recent change? I don't see it mentioned in the version history, but I haven't clicked on the prior versions.
For the most security, presuming proftpd runs as user ftp and httpd runs as apache, you should probably use:
drwxr-xr-x 14 nobalone apache 4096 Mar 2 22:03 public_html
The important thing we all need to remember is that read a directory we must have read permission, but to actually cd into the directory we must also have execute permission.
So there's no way around the 755 permissions.
As far as I understand it, if we had only static html code we could probably get away with 750, though i could be wrong, and I haven't done any testing.
750 would certainly block other users logging into the box from reading anyone else's files, but it would probably stop certain cgi and/or php files from properly executing.
Jeff
On my pre-existing site nobaloney.net site (RHL 7.3), my public_html directory looks like this:
drwxr-xr-x 14 nobalone nobalone 4096 Mar 2 22:03 public_html
And my understanding is it always should be this way.
Phil, what do you mean by "it was created by 'apache' but is owned by 'admin'"? I don't see any argument to ls that will tell you who created the directory.
John, what do you mean by "The group of the public_html is supposed to be set to apache"? Is this a recent change? I don't see it mentioned in the version history, but I haven't clicked on the prior versions.
For the most security, presuming proftpd runs as user ftp and httpd runs as apache, you should probably use:
drwxr-xr-x 14 nobalone apache 4096 Mar 2 22:03 public_html
The important thing we all need to remember is that read a directory we must have read permission, but to actually cd into the directory we must also have execute permission.
So there's no way around the 755 permissions.
As far as I understand it, if we had only static html code we could probably get away with 750, though i could be wrong, and I haven't done any testing.
750 would certainly block other users logging into the box from reading anyone else's files, but it would probably stop certain cgi and/or php files from properly executing.
Jeff
- Joined
- Feb 27, 2003
- Messages
- 8,525
Hi Jeff,
To clarify, a while back we changed the public_html directory to:
710 username:apache
This allowed the user and apache to read files but prevented anyone else on the server from looking in (to pretect config.php files for example.. unless of course they use php... except when open_basedir is on
) .. For proftpd, it's not really an issue, because the only time it's run as someone other than "username" is for anonymous access, which is done in the public_ftp directory, which is outside of public_html, so no issue there. The subdomain ftp accounts all run as "username" so ftp would be able to see in.
In theory it should all be well and dandy, but things like frontpage throw a fit.. and now some 403 errors are popping up (meaning it might be 710 username:username which won't work). So, the simplest route is to just revert the works back to 755 username:username.
John
To clarify, a while back we changed the public_html directory to:
710 username:apache
This allowed the user and apache to read files but prevented anyone else on the server from looking in (to pretect config.php files for example.. unless of course they use php... except when open_basedir is on
) .. For proftpd, it's not really an issue, because the only time it's run as someone other than "username" is for anonymous access, which is done in the public_ftp directory, which is outside of public_html, so no issue there. The subdomain ftp accounts all run as "username" so ftp would be able to see in.In theory it should all be well and dandy, but things like frontpage throw a fit.. and now some 403 errors are popping up (meaning it might be 710 username:username which won't work). So, the simplest route is to just revert the works back to 755 username:username.
John
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Have you (anyone) tried 750 username:apache?
I'm not sure if that'll have problems or not. It might work properly.
Jeff
I'm not sure if that'll have problems or not. It might work properly.
Jeff
- Joined
- Feb 27, 2003
- Messages
- 8,525
Hey Phil.. when you were getting the 403 messages, what was the group on the public_html directory? If it was 710 user:user, then that would explain the 403.
From my tests:
chown user:apache public_html
chmod 710 public_html
should work for most things.. the directory index wouldn't work if you have that setup... in which case 750 would be needed.
John
From my tests:
chown user:apache public_html
chmod 710 public_html
should work for most things.. the directory index wouldn't work if you have that setup... in which case 750 would be needed.
John
nobaloney
NoBaloney Internet Svcs - In Memoriam †
John,
If you use apache as the username and 710 as the permissions, for the public_html directory, then how could the site-user upload files since he couldn't write to the directory? I think you'd need 750 minimum.
Jeff
If you use apache as the username and 710 as the permissions, for the public_html directory, then how could the site-user upload files since he couldn't write to the directory? I think you'd need 750 minimum.
Jeff
- Joined
- Feb 27, 2003
- Messages
- 8,525
Hello,
username is the user and apache is the group, but I'm changing it to user:user from user:apache (u:g).
710 vs 750 doesn't change any write permissions, only read perms for the group. Apache never has write permission anyway, they'd need to change the permissions regardless to get apache to write (normally 777).
John
username is the user and apache is the group, but I'm changing it to user:user from user:apache (u:g).
710 vs 750 doesn't change any write permissions, only read perms for the group. Apache never has write permission anyway, they'd need to change the permissions regardless to get apache to write (normally 777).
John
nobaloney
NoBaloney Internet Svcs - In Memoriam †
If it's going to be user:user, won't it need to be 755 so apache can still enter directories and read them?
And then files will have to be 644.
Or will you make apache user a member of each group?
If the latter, are you aware there's a 32 group limit for Linux? (a linux user can only be a member of 32 groups)
I've been there, done that, rented the video, and sent home the postcards
.
Jeff
And then files will have to be 644.
Or will you make apache user a member of each group?
If the latter, are you aware there's a 32 group limit for Linux? (a linux user can only be a member of 32 groups)
I've been there, done that, rented the video, and sent home the postcards
.Jeff
- Joined
- Feb 27, 2003
- Messages
- 8,525
Yes, it will be user:user 755
John
John
nobaloney
NoBaloney Internet Svcs - In Memoriam †
which takes us back to anyone can read anything.
As I said, been there, done that, saw the video, sent the postcards, got the sunburn.
Jeff
As I said, been there, done that, saw the video, sent the postcards, got the sunburn.
Jeff
- Joined
- Feb 27, 2003
- Messages
- 8,525
So Jeff, you want user:apache 750 ?
Right now it's user:apache 710, permission problems.
So.. what exactly is the cause of the permission problem?... what is the user, group and permissions on the public_html directory that is generating the 403 in the first place? .. It would just be easier to figure that out.
John
Right now it's user:apache 710, permission problems.
So.. what exactly is the cause of the permission problem?... what is the user, group and permissions on the public_html directory that is generating the 403 in the first place? .. It would just be easier to figure that out.
John
nobaloney
NoBaloney Internet Svcs - In Memoriam †
John,
We've always used 755 and lived with the fact that people can read each other's stuff.
We don't allow shell logins to our clients and our terms of service don't allow looking around our systems.
I'll be happy to take some time to look at this, but I've got a lot of stuff on my plate right now and I'll probably have to be reminded in a week or so.
Jeff
We've always used 755 and lived with the fact that people can read each other's stuff.
We don't allow shell logins to our clients and our terms of service don't allow looking around our systems.
I'll be happy to take some time to look at this, but I've got a lot of stuff on my plate right now and I'll probably have to be reminded in a week or so.
Jeff