FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 01-31-2011, 04:07 AM
Nico Kadel-Garcia
 
Default Groups

On Sun, Jan 30, 2011 at 11:14 PM, Jason S-M
<slackmoehrle.lists@gmail.com> wrote:
> Hi All,
>
> On one of my servers I have a personal account and root. I disable root for ssh logins and run ssh on an alternative port. When 'scp'ing files I usually scp them up, then ssh in 'su' root and move them to /var/www/html.
>
> I can sftp I realize, but what group can I add my personal account to, but not root, so I can sftp in and put the files in /var/www/html?

There are a dozen ways to do this. One is to uplodate with WebDAV over
HTTPS, which is built into Apache on CentOS and has plenty of usable
clients such as lftp. Another is simply to designate a directory under
/var/www/html/, owned by you personally, that the apache user can
browse. That give you direct upload access as yourself.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-31-2011, 07:36 AM
Kenneth Porter
 
Default Groups

--On Sunday, January 30, 2011 8:14 PM -0800 Jason S-M
<slackmoehrle.lists@gmail.com> wrote:

> Secondarily /var/www/html/<my website> is owned by root:root, can I
> change this to something else so my sftp'ing is easier? apache:apache as
> owner?

I would avoid giving the apache user write access to anything under
/var/www/html unless it absolutely needs it. That prevents a rogue break-in
through the web server from rewriting your web content and creating a back
door into your system.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-31-2011, 03:33 PM
Todd
 
Default Groups

> On one of my servers I have a personal account and root. I disable root for ssh logins and run ssh on an alternative port. When 'scp'ing files I usually scp them up, then ssh in 'su' root and move them to /var/www/html.


>

> I can sftp I realize, but what group can I add my personal account to, but not root, so I can sftp in and put the files in /var/www/html?



There are a dozen ways to do this. One is to uplodate with WebDAV over

HTTPS, which is built into Apache on CentOS and has plenty of usable

clients such as lftp. Another is simply to designate a directory under

/var/www/html/, owned by you personally, that the apache user can

browse. That give you direct upload access as yourself.

Right, but giving myself a directory doesn't allow me to put files other places in /var/www/html....

My goal here is to be able to use my iPad over my ssh port to pull down files, edit them and save them back. Also, upload new files when I am at my desktop.
With /var/www/html owned by root:root and me loggin in as 'jason' I cannot accomplish this. I don't allow root logins over ssh...

So I think that something needs to change.*
Would I change /var/www/html/<my domain> owner to myid:mygroup? I am not sure the famifications of this and how Apache would behave, etc.

-Jason
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-31-2011, 03:49 PM
Nicolas Thierry-Mieg
 
Default Groups

Todd wrote:
> > On one of my servers I have a personal account and root. I
> disable root for ssh logins and run ssh on an alternative port. When
> 'scp'ing files I usually scp them up, then ssh in 'su' root and move
> them to /var/www/html.
> >
> > I can sftp I realize, but what group can I add my personal
> account to, but not root, so I can sftp in and put the files in
> /var/www/html?
>
> There are a dozen ways to do this. One is to uplodate with WebDAV over
> HTTPS, which is built into Apache on CentOS and has plenty of usable
> clients such as lftp. Another is simply to designate a directory under
> /var/www/html/, owned by you personally, that the apache user can
> browse. That give you direct upload access as yourself.
>
>
> Right, but giving myself a directory doesn't allow me to put files other
> places in /var/www/html....
>
> My goal here is to be able to use my iPad over my ssh port to pull down
> files, edit them and save them back. Also, upload new files when I am at
> my desktop.
>
> With /var/www/html owned by root:root and me loggin in as 'jason' I
> cannot accomplish this. I don't allow root logins over ssh...
>
> So I think that something needs to change.
>
> Would I change /var/www/html/<my domain> owner to myid:mygroup? I am not
> sure the famifications of this and how Apache would behave, etc.

The whole of /var/www can belong to myid:mygroup as long as the apache
user can read it. If apache must write some files somewhere (eg via a
cgi script), it needs write access to that specific somewhere, but
that's it.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-31-2011, 03:51 PM
Todd
 
Default Groups

> * * *> On one of my servers I have a personal account and root. I


> * * disable root for ssh logins and run ssh on an alternative port. When

> * * 'scp'ing files I usually scp them up, then ssh in 'su' root and move

> * * them to /var/www/html.

> * * *>

> * * *> I can sftp I realize, but what group can I add my personal

> * * account to, but not root, so I can sftp in and put the files in

> * * /var/www/html?

>

> * * There are a dozen ways to do this. One is to uplodate with WebDAV over

> * * HTTPS, which is built into Apache on CentOS and has plenty of usable

> * * clients such as lftp. Another is simply to designate a directory under

> * * /var/www/html/, owned by you personally, that the apache user can

> * * browse. That give you direct upload access as yourself.

I write nothing out on the file system at all for this site.
-Jason*
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-31-2011, 03:53 PM
 
Default Groups

Nicolas Thierry-Mieg wrote:
> Todd wrote:
>> > On one of my servers I have a personal account and root. I
>> disable root for ssh logins and run ssh on an alternative port. When
>> 'scp'ing files I usually scp them up, then ssh in 'su' root and move
>> them to /var/www/html.

Or sudo. Or you can have a cron job that looks and moves, that runs as root.
>> >
>> > I can sftp I realize, but what group can I add my personal
>> account to, but not root, so I can sftp in and put the files in
>> /var/www/html?
<snip>
>> With /var/www/html owned by root:root and me loggin in as 'jason' I
>> cannot accomplish this. I don't allow root logins over ssh...
<snip>
>> Would I change /var/www/html/<my domain> owner to myid:mygroup? I am not
>> sure the famifications of this and how Apache would behave, etc.
>
> The whole of /var/www can belong to myid:mygroup as long as the apache
<snip>
Not a great idea. Rather, I'd recommend that it be the apache user (apache
or httpd, whichever you have it as, and have the directory of a group that
you belong to (remember, you can have multiple secondary groups, like,
say, group httpd), and make it group writeable.

mark


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-31-2011, 04:03 PM
Todd
 
Default Groups

Hi Mark,



>> With /var/www/html owned by root:root and me loggin in as 'jason' I

>> cannot accomplish this. I don't allow root logins over ssh...

<snip>

>> Would I change /var/www/html/<my domain> owner to myid:mygroup? I am not

>> sure the famifications of this and how Apache would behave, etc.

>

> The whole of /var/www can belong to myid:mygroup as long as the apache

<snip>

*Not a great idea. Rather, I'd recommend that it be the apache user (apache

or httpd, whichever you have it as, and have the directory of a group that

you belong to (remember, you can have multiple secondary groups, like,

say, group httpd), and make it group writeable.
I don't quite follow.
if I do a 'getent groups' I do have apache as a group.
So you are saying set the owner of /var/www/html<my domain> and all files below to apache:apache and then add my personal id to the apache group?

-Jason**
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-31-2011, 04:05 PM
Nicolas Thierry-Mieg
 
Default Groups

m.roth@5-cent.us wrote:
> Nicolas Thierry-Mieg wrote:
>> Todd wrote:
>>> With /var/www/html owned by root:root and me loggin in as 'jason' I
>>> cannot accomplish this. I don't allow root logins over ssh...
> <snip>
>>> Would I change /var/www/html/<my domain> owner to myid:mygroup? I am not
>>> sure the famifications of this and how Apache would behave, etc.
>>
>> The whole of /var/www can belong to myid:mygroup as long as the apache
> <snip>
> Not a great idea. Rather, I'd recommend that it be the apache user (apache
> or httpd, whichever you have it as, and have the directory of a group that
> you belong to (remember, you can have multiple secondary groups, like,
> say, group httpd), and make it group writeable.

so you prefer giving the apache user write access to /var/www ?
Is this really a good thing...?
I agree with the group advice though, if you have several users
modifying the website content of course.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-31-2011, 04:20 PM
 
Default Groups

Hey, Todd,

Todd wrote:
>
>> >> With /var/www/html owned by root:root and me loggin in as 'jason' I
>> >> cannot accomplish this. I don't allow root logins over ssh...
>> <snip>
>> > Would I change /var/www/html/<my domain> owner to myid:mygroup? I am
>> > not sure the famifications of this and how Apache would behave, etc.
>>
>> > The whole of /var/www can belong to myid:mygroup as long as the apache
>> <snip>
>
>> Not a great idea. Rather, I'd recommend that it be the apache user
>> (apache or httpd, whichever you have it as, and have the directory of a
group
>> that you belong to (remember, you can have multiple secondary groups,
like,
>> say, group httpd), and make it group writeable.
>
> I don't quite follow.
>
> if I do a 'getent groups' I do have apache as a group.

Or if you just type "groups" from the command line....
>
> So you are saying set the owner of /var/www/html<my domain> and all files
> below to apache:apache and then add my personal id to the apache group?

And make the directory you want to upload stuff into, not /var/www/html,
but /var/www/html/<yourdomain>/<maybewhatever>, group writeable, then
sudo usermod -G apache myusername

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-31-2011, 04:54 PM
Nicolas Thierry-Mieg
 
Default Groups

m.roth@5-cent.us wrote:
> Todd wrote:
>>
>>>>> With /var/www/html owned by root:root and me loggin in as 'jason' I
>>>>> cannot accomplish this. I don't allow root logins over ssh...
>>> <snip>
>>>> Would I change /var/www/html/<my domain> owner to myid:mygroup? I am
>>>> not sure the famifications of this and how Apache would behave, etc.
>>>
>>>> The whole of /var/www can belong to myid:mygroup as long as the apache
>>> <snip>
>>
>>> Not a great idea. Rather, I'd recommend that it be the apache user
>>> (apache or httpd, whichever you have it as, and have the directory of a
> group
>>> that you belong to (remember, you can have multiple secondary groups,
> like,
>>> say, group httpd), and make it group writeable.
>>
>> I don't quite follow.
>>
>> if I do a 'getent groups' I do have apache as a group.
>
> Or if you just type "groups" from the command line....
>>
>> So you are saying set the owner of /var/www/html<my domain> and all files
>> below to apache:apache and then add my personal id to the apache group?
>
> And make the directory you want to upload stuff into, not /var/www/html,
> but /var/www/html/<yourdomain>/<maybewhatever>, group writeable, then
> sudo usermod -G apache myusername

again: this is bad advice, httpd is runing as user apache so you should
avoid giving that user write access to stuff in /var/www/ unless it
needs to (CGI, file uploads, etc...).
The apache user only needs read access. The users editing the content
need write access.
Make /var/www/* owned by root, or yourself, or some brand new account,
but not by apache. Then use groups and sgid bits to give write access
(to relevant subdirs) to whoever needs to edit the content.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 06:53 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org