Solved

Web Servers - Directory Permissions

Posted on 1997-05-19
6
204 Views
Last Modified: 2010-04-21
I've got a bit of a dilemna... I am part of a website design
team for a new client, which wants us to setup a membership
system for them.

The membership system allows members to use an online
CGI-driven script to design their homepage. To do this I
setup a users directory where all member accounts will be
stored in, the users have ftponly access to the site. The
users directory and all member subdirectories are now group
owned by the web server group (www) with group write permissions so the CGI scripts can write to their directories.

However, now I find that users can ftp in, change directories to another users directory and also write
to those! Obviously not what I wanted.

Can anyone suggest a way to accomplish the following goals:

1) Allow the web server to write to all subdirectories of
the users directory via CGI.
2) Allow users to ftp into their accounts and have full
read/write access.
3) Prevent users from being able to write to other users
directories.

I would greatly appreciate your suggestions!
Thanks,
Andy
gmd@netmcr.com
0
Comment
Question by:icculus
  • 3
  • 3
6 Comments
 
LVL 5

Accepted Solution

by:
n0thing earned 100 total points
ID: 2006306
Hi,

  The user's home directory should be owned by the user himself.
The permission of the directory should be 2775 drwxrwsr-x, the
group maybe www, but the user should be in other groups else than
www, like wwwuser. This setup will allow:

  1) The owner have the right to write to their own directory and
no one else.
  2) The CGI script's group should be www so it could write to
that directory.

Example:
passwd file: joe:cryptedpasswd:100:200:Joe User:/bin/false
where group 200 would be "wwwuser".
directory's mode should be 2775 drwxrwsr-x joe.www with the SGID
bit on, so any CGI script with the group "www" could write to
that directory but no one else except for the owner himself.
Everyone else could look into that directory and execute CGI
scripts in that directory, but cannot write to it.

Regards,
n0thing
0
 
LVL 1

Author Comment

by:icculus
ID: 2006307
Excelent Answer! Right after receipt I rewrote our membership
system to implement your solution, my tests show it works
exactly as you proposed.

Thank you so much!
Andy
0
 
LVL 1

Author Comment

by:icculus
ID: 2006308
Well,, looks like I spoke a bit too soon...

It looks like the web server can write to files already
present in the directory, however it cannot create
new files...

How would I go about allowing the web server to create
new files in a user's directory?

Thanks much!
andy
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 5

Expert Comment

by:n0thing
ID: 2006309
Any scripts, process which want to write to that directory should
be in the group "www", by default, httpd deamon is own by
nobody.nobody. You'll have to change the group id in the
httpd.conf file to "www" and restart the server.

Regards,
n0thing
0
 
LVL 1

Author Comment

by:icculus
ID: 2006310
The web server is already user www and group www, but
it doesn't belong to the wwuser group, which owns the
directory...

-Andy
0
 
LVL 5

Expert Comment

by:n0thing
ID: 2006311
The user's directory should be joe:www and not joe:wwwuser. If
you set it to joe:wwwuser, then every other users will be able
to write to it and it will defeat the purpose of the SGID bit.
So that way, the owner will be able to write to it, the others
users can't since they belong to the wwwuser but not www. Any
CGI/process with the group ID of www could write to that
directory. Any further questions on the topic, send mail to me
directly minh@qc.bell.ca.

Regards,
Minh Lai
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now