Solved

How to let developers to modify php and html files on /var/www/html ?

Posted on 2007-03-21
12
210 Views
Last Modified: 2012-05-05
Hello Group,

Still I'm having problem in grantting permission to users (other than root) to be able to develop PHP pages on /var/www/html; What I have done so far and was expecting to work is modifiing /etc/sudoers as following:

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
Developer1  ALL=(ALL)       ALL

The reason I need to do this is because only root can modify the file on web server. I'm not sure the above procedure is safe or proper but will appreciate it if somebody could give me a solution.

regards,
ak


0
Comment
Question by:akohan
  • 6
  • 5
12 Comments
 
LVL 48

Expert Comment

by:Tintin
ID: 18769467
What you have sure isn't safe by a long mile.

What permissions do you have on /var/www/html and your webpages?  There's no good reason to have them owned by root (unless you have some very unusual requirements).

How do your developers update your website?  Do copy their changes over the versions in /var/www/html?
0
 
LVL 17

Accepted Solution

by:
psimation earned 65 total points
ID: 18769798
Agree; having root own the /var/www/html is not a good idea.
As a rule of thumb, your websites will each have their own sub folder in /var/www/html. What you can easily do is to "chown" each of your websites to a specific user you create for that website and to give the user write permissions with "chmod". Then, you can edit your vsftpd.conf file to "jail" users to their home directories and voila!

examples:

adduser website_1_user -d /var/www/html/website1
passwd website_1_user

chown -R website_1_user /var/www/html/website1
chmod 755 /var/www/html/website1

now just edit the vsftpd.conf file to ensure that it has at least this in (amongst others):

anonymous_enable=NO
chroot_local_user=YES

service vsftpd restart

Now, if that user ftp to your server, he will have 755 permission ONLY to the /var/www/html/website1 folder.

If you want ( for instance if you are going to have a large number of websites), you can create another user that is part of the "web_admin" group ( you will need to create this group - groupadd), then you can "chown" the webfolder root to that group:

chown new_admin_user:web_admin -R /var/www/html

then, with that "web_admin_user" you will be able to access ALL your websites with that one ftp account.




0
 

Author Comment

by:akohan
ID: 18775521


Thank you so much for your the information you shared with me. However, I don't know what VSFTPD.CONF is. Would you please explain this to me?

Thanks,
AK
0
 

Author Comment

by:akohan
ID: 18775523


One more thing, I understand that it is not safe but what could cause if somebody works as root on a webpage or doing development.

Thanks,
ak
0
 
LVL 48

Expert Comment

by:Tintin
ID: 18776057
If someone works as root on your webpages, then they can change the content of any file, they could destroy the system, absolutely anything.
0
 

Author Comment

by:akohan
ID: 18776220


No, I know that but what I meant was a REAL ROOT. Is it possible to steal a root password as he/she is working on a page?
I need a good reason to know why working as root either developeing a page or chatting online or anything else  could be risky?





Thank you.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 48

Expert Comment

by:Tintin
ID: 18776401
What do you mean by "REAL ROOT"?

If a user is root, they have access to all the passwords and change add/delete accounts, change the passwords or anything they like.
0
 

Author Comment

by:akohan
ID: 18776438


Hi Tintin,

Of course, ROOT can change everything. This is obvious but from your statement I thought you meant root password can get stolen. Now I know what you said.

However, It seems we are going to a different direction. What I had ask for was VSFTPD.CONF. Does anybody know what it is?

Thanks,
ak
0
 
LVL 48

Expert Comment

by:Tintin
ID: 18777328
vsftpd.conf is the configuration file for vsftp, but from your question, it appears the developers have command line access to the webserver.  Correct?

Let's go back a few steps.

1.  Is there any good reason to have the web pages owned by root?
2.  What restrictions do you wish to place on the developers?
0
 

Author Comment

by:akohan
ID: 18777675

right. They have shell access.

Your questions:
>1.  Is there any good reason to have the web pages owned by root?
     No and it is not safe. The reason I asked that is because on my new system (Linux FC6) I did setup apahce and php. As user I can change a page or develop it. But when I login as user1 or ... I don't have access to the page I just can read it not to write. After discussion with an Admin he told me that I have to modify the /etc/sudoers;
I did so but still cannot develop a page due to not having permission to /var/www/html

What is the proper of doing this?

>2.  What restrictions do you wish to place on the developers?
I want user1 or user2 ... be able to modify write/read the PHP and HTML pages but must not have all premissions root has.

Thanks in advance for your help.
AK
0
 
LVL 48

Assisted Solution

by:Tintin
Tintin earned 60 total points
ID: 18777780
If you want user1 and user2 to have read/write permissions on your PHP and HTML pages, then simply make sure they are in the same group, eg: 'devs' then ensure directories have perms of 775 with group set to 'devs' and files set to 664 with group set to 'devs'.

No root access needed.
0
 

Author Comment

by:akohan
ID: 18783611


As root I gave permission to user1 (my other account) to be able to modify files in /var/www/html

Thanks
ak
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to count occurrences of each item in an array.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now