| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Comments:
<0> so would the diff_group
<1> let's say you're a hosting company, and you've given your user write access to some dir. Some scripts need write access to files/stuff, but users can't chown stuff, how will the user give access just to the webserver without giving access to everyone else on that server?
<0> they would be able to read/write/execute as well
<0> everyone else or other would not be able to read/w/e
<2> Genia4: setfacl -m u:apache:rwx file
<1> and without acl?
<0> well
<0> are you talking their home dir?
<2> "chgrp apache file", perhaps
<2> but then, the apache user would have to have x permission on their home dir
<2> which is Dirty
<1> hmm
<0> just create a different group
<1> other ways?
<0> called nonuser
<2> what if another user/service needed to read/write their homedir? like the mail server, identd, etc
<2> bitrot: security risk
<0> dnshacker: that's why you have it 707
<0> er
<0> 706 even ;p
<1> so how are hosting companies set up for those scenarios?
<0> negative sir
<2> if you have all your services running as nobody, then they can ALL **** with each other
<0> how is it a security risk?
<0> my services run as their own user usually
<2> having every service run as their own user is the best way
<2> and using acl's
<0> and only root can see all procs on the box users only can show their own procs/sockets
<1> the way I have it set up on my server atm is have a www dir in each user's home dir, /var/www/thatuser is a link to that dir, and if a user needs a file owned by the server, there is a suid script that can do that
<1> dirty, but I couldn't think of anything else
<0> wow
<0> that's messed up lol
<0> why not remove the link?
<2> yea...
<0> and have the actual dir be in the home dir
<0> that's what I do
<2> why not use /home as the DocumentRoot
<2> just have a vhost for each user
<0> then i chmod username:user
<1> because a user might want stuff that is not web visible...
<0> the 'users' i the group
<0> then chmod 705
<0> you're done
<0> chmod -R 706 /home/
<0> so the users have rwx but the users group doesn't
<0> that's secure
<2> all my customer have their stuff in /home/user/www/domain/ with a vhost for each domain they have
<1> but then every user not in "users" has access
<0> secure enough anyways lol
<0> Genia4: ... but all your users should be in users hehe
<1> dnshacker: and how can they give the webserver permissions to their files?
<0> who else is on your box?
<1> bitrot: yeah, but I run other services too
<1> other than apache that is
<2> Genia4: setfacl -m u:apache:x /home/user /home/user/www /home/user/www/domain
<2> that allows apache to change just into /home/user/www/domain
<2> and not read from anywhere else
<1> without acl first ;)
<0> lol
<0> i'm confused
<2> without acl is insecure
<2> you'd have to use a group
<1> no, some scripts need apache to have write access to files
<1> how can you handle that/
<2> and a group owner can modify the contents of a dir
<0> even if you chmod 706
<0> and have all the users group set to users
<1> with the scheme you presented above: [18:57] <2> all my customer have their stuff in /home/user/www/domain/ with a vhost for each domain they have
<0> the users wont be able to read the dirs
<2> Genia4: then set rw on the dir in the acl, simple
<1> without acl there is no way?
<2> anyway, all of my webservers are setup with suexec/suphp etc :)
<2> so apache never needs write access
<2> that'd be Silly
<2> :p
<1> is that wise?
<0> drwx---r-x 3 jza users 512 Mar 29 14:00 jza
<0> what's wrong with that?
<0> all users can't access the dir
<1> bitrot: but if you run another service, a database, and somehow the database is hacked, there is write access to the file
<1> dnshacker: can you show me the permissions on your php?
<0> Genia4: how?!?!?!?
<1> how what?
<2> bitrot: nothing wrong with it
<0> yeah i'm confused
<0> lol
<0> i thought the way i currently have it setup is pretty secure
<0> without using acls of course
<3> dnshacker: Are you on LinkedIn, by any chance?
<1> bitrot: so your www dirs are actually 706?
<2> Two9A: never heard of it
<2> bitrot: now let 'jbloggs' access /home/jza/foo
<3> It's a professional-contact site, where you can make a net of colleagues/acquaintances/etc
<2> Two9A: cool
<3> I can send you an invite if you like
<2> plZ
<3> got email?
<2> nej
<3> You could have trouble then. Dimebar still active? :P
<2> nope
<2> teehee
<3> I have an ffat addr, mind if I try it?
<2> manger@full-fat.com
<3> Yah
<3> FIRED
<2> *ding*
<3> All the contacts in my list atm are from #php :/
<1> say, can users run chmod? I forgot :(
<1> yes they do
<1> ignore me.
<0> Genia4: drwxr-xr-x 8 obsidianx users 2048 Aug 28 20:28 /home/obsidianx/public_html
<4> there's a reason why it's called discretionary access control
<1> those permissions ****
<1> wait, no, they don't
<1> if he wants to give apache write access, he can chmod a file to 756
<2> You
<2> People you know
<3> PEOPLE THEY KNOW
<2> People they know
<2> -_-
<2> its THEM
<2> THEM, AGAIN
<3> !
<2> BASTARDS, THEY@RE EVERYWHERE
<3> They're COMING
<2> my network is 2% complete
<2> w0w
<3> go u
<3> Ooh, mine's at 16%
<3> It'll stay at that for a while
<2> i'd like to dump their database
<3> Yeah, "6.5 million"
<2> seems theres 3 people from ff already on here
<0> dnshacker: If I were going to let jbloggs access /home/jza/foo I would need an ACL
<0> because jbloggs would be another user in the users group so by posix he would be denied
<0> hmmm
<0> acls wouldn't work
<0> since it would be dnied by posix perms first
<0> Genia4: the www dirs could be 706 sure wouldn't matter really, all the users in the 'users' group don't have access to the home, so the sub dirs can be 706 or 760
<0> err
<0> not 760
<0> 766
<0> Will I have to buy OS X 10.5 Leopard when it comes out? Or do I get a free upgrade?
<0> http://www.apple.com/getamac/
<1> bitrot: so what's the permission on home/
Return to
#gentoo
or
Go to some related
logs:
Lebnania
VIA/S3G + Render Maya
#networking
#beginner
#stocks
swalef 7areem
food chain.swf
#nhl
#freebsd
openbsd gnu sed
|
|