I recently installed Ubuntu server on my server to try out the linux as a new user. I followed a tutorial on how to set up the web server which said I need to chmod 777
the web server dir so that it can be written into.
Anyway, I created a new account for one dude to allow him to see some files on the server which I placed in his home dir:
adduser francis
After creating the account I checked what access he has with
groups francis
It said "francis : francis", so not a problem I thought, the ubuntu hasn't included him in any groups by default, which makes sense, it created him with no extra permissions security-wise, so everything is fine and dandy.
A week later, in absolute and utter horror, I found out that even though he couldn't do things like SUDO or mess around in system directories, he had full access to almost everything else on the server. For example he had full read/write access to my web server files at /var/www (and thus passwords stored in php configs files etc) even though that directory is NOT in his home directory and I never added him into any groups which could access that directory, nor I granted him any special access to anything ever after doing the adduser.
Anyway, what is going on here? How do I kill his access to anything important? He should not be able to access stuff like /media or /var/www. I thought that new users were by default prevented from doing anything dangerous or snooping where they shouldn't be.
So the sum it up, I only need to allow him access to directories which I manually specify + to directories which he needs to function properly (his home dir, vim, nano etc..)
Thank you
This is as designed. And worse. chmod 777 means... "I'd like the owner, anyone in his group, and anyone at all to have read, write and execute permissions"
Which is pretty terrible.
And for a web server, 777 is not optimal. 755 (Owner has full permissions group and others have read + execute) is a common default but from what you've said you want at least read-write, or read-write execute for the owner (the web server user), and maybe the group, and no permissions for the user. There's a more complete questions on what appropriate permissions levels are on serverfault but consider something like 640 or 740.
that said, you could also put the user in his own little world - setting up chroot to keep the user in his own space in the system. There's guides floating around for doing this - for example oli's excellent answer here which may be an option depending on your needs.
No comments:
Post a Comment