file and directory permission
Matthew Seaman
m.seaman at infracaninophile.co.uk
Sun Dec 20 11:21:24 UTC 2009
Roby Sadeli wrote:
> Hi there.
>
> I have been using FreeBSD for some time but my skill is getting really rusty.
> I install nginx via the ports collection and it works just fine.
> The data files (html) is located in /usr/local/www/ and the directory
> permission is as follows:
> drwxrwxr-x 5 root wheel 512 Dec 20 15:54 www
>
> and I changed the user/group permission like this:
> # chown -R www:www /usr/local/www
> # chmod -R 775 /usr/local/www
>
> My id is user and looks like this:
> # id user
> uid=1001(user) gid=1001(user) groups=1001(user),0(wheel),80(www)
>
> I am trying to create a file in the /usr/local/www and I can't.
> Is there something wrong I did here?
>
Well, yes. But not really anything to do with your principle aim of
being able to edit your web content as a mortal user. You've opened
up a bit of a security hole by your changes.
It's a common misconception that because the www directory is somehow the
territory of the web server, then the UID the web server runs as should own
the files and directories under it. This is actually a pretty bad idea,
because it means that anyone suborning your web server can then deface your
web content. This sort of attack is generally through a cgi script or through
PHP or other applications run with the credentials of your web server, but in
principle it can apply to a web server daemon serving up nothing by static
content if the daemon has buffer overflow or similar vulnerabilities.
If the web server needs to handle uploaded files then this should be set up
to go to a distinct writable area preferably somewhere completely separate from
/usr/local/www.
Or in other words, to achieve the aim you want, do this:
* Create a new group for people that are allowed to edit the web
content to belong to. eg:
# pw group add -n wwwdev
* Give that group ownership of the files under the web-root:
# chown -R root:webdev /usr/local/www
* Make files and directories under the web-root group writeable,but
not world writeable:
# chmod -R g+w,o-w /usr/local/www
* Add your own UID as a member of the wwwdev group:
# pw group mod -n wwwdev -m user
* Log out and log back in again to update the group membership in your
active session. [Note: this doesn't happen automatically just by modifying
/etc/groups -- you need to start a new session]
* Possibly adjust the umask setting in your shell initialization files to
umask=002 -- this means by default files you create will be *group* writeable.
note: due to BSD filesystem semantics files will inherit the group ownership
from the directory they are created in. On some other Unixoid OSes you would
need to have the directories SGID to achieve the same effect.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20091220/1b44d908/signature.pgp
More information about the freebsd-questions
mailing list