One more issue

[Polytropon]

On Wed, 20 May 2015 22:42:43 -0700, Jeffry Killen wrote:
> I installed apache24 from ports.
> 
> added the requisite line to rc.conf to start apache on boot.
> 
> I ran servic apache24 start to start the server.
> 
> from another machine I established an ftp connection to the
> doc root and attempted to edit the default index.html page.
> 
> The ftp client informed me I couldn't edit the page, and I realized
> that the ownership of the doc root needed to be changed to ftp
> user.

No, that sounds wrong. The user "ftp" is the anonymous (!) FTP
user (the one without a name and a password). You probably don't
want to give that user access to document files.

Do you have ftpd (FreeBSD's FTP server) running, or do you use
something different?

See the file /etc/ftpusers - it contains those _not_ allowed to
run FTP connections: "root" and "ftp" commonly are the two top
entries. Make sure that they are there, if you have to use FTP.
Which means: Using FTP today is a bad idea, no matter what "reason"
you might mention... :-)



> SO, via ssh I attempted to login via su and the root password
> was refused.

The users which are allowed to "su root" have to be member of
the "wheel" group. Check /etc/group for the relevant entries.
Use "pw groupmod" to add the user, if required.



> I went to the monitor attached to the server and attempted to log in
> as root. I kept getting refusals.

SSH logins for root are usually disallowed. There's an option
named "PermitRootLogin yes" in /etc/ssh/sshd_config which can
be set. However, it's encouraged not to do this, and instead
to use a normal user login + wheel group + su.

Also have a look at the "sudo" and "super" tools, available
via ports.



> I ended up having to dig up how to boot into single user mode to
> change root password. That I did. Now I can log in as root or
> su as usual.

This indicates a password mismatch rather than a "normal" permission
problem.



> The point is that I did not fool around with the password file.
> Something else altered or corrupted it. Hopefully I don't now
> have a root kit hanging around.

That's worth checking. It's also good to have backups of the
relevant files and the databases generated from them.



> I am conderned about having to be connected to the internet
> so ports can fetch anything it sees fit. (this is why I had avoided
> using ports in the past).

That's no big deal, and no big difference between ports and
packages. Make sure you read about system security, and also
make sure you have a firewall in place, just in case. Also
know about your log files, for example /var/log/auth.log.
In case you're running a FTP server, use /var/log/ftpd.log.



> What services do I have to allow to and from the internet that
> are secure with respect to hosts.allow and tcpwrappers, for the sake
> of ports?

Ports are usually obtained with the "fetch" program, using FTP
or HTTP, depending on how the port's distfiles are being
provided.


-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...