[Sussex] Securing Apache / Linux

Ronan Chilvers ronan at thelittledot.com
Thu Aug 4 19:15:58 UTC 2005


On Thu, 4 Aug 2005 17:03:49 +0100
"Paul Graydon" <paul at paulgraydon.co.uk> wrote:
<snip>
> where things get a little more difficult as best as I can see.  We
> both need to be able to CHMOD files stored in the htdocs folder, over
> FTP.  That's where the biggest hangup seems to come.
</snip>

If you don't have clients using FTP connections (or even if you do) I
would look at switching to SSH/SCP.  SCP or SFTP is well supported both
on Linux and Windows (WinSCP, for example).  Its also considerably more
secure than FTP (being based on an encrypted connection) and does all
the stuff that FTP does and more.  The only disadvantage is that its
hard to chroot SCP/SFTP users like you can with FTP daemons - it is
possible though.

<snip>
> So far I've created a separate user group called webteam on the
> server, created two users, one for myself, one for the boss, and made
> their primary group the webteam group. The htdocs folder (and
> subfolders) has been chowned to httpd:webteam, and then been
> recursively chmoded to 2575, so that the webteam group owns any files
> created in it, and apache can only read and execute contained files,
> as I was advised elsewhere. However, the only way either my boss or
> myself can chmod the files is to log in as root.  For security
> purposes I've disabled the root account from being able to be used
> over FTP, and SSH/telnet is blocked at the firewall.
> 
> Is there any way to achieve this, short of creating a common account
> on the server that both my boss and I will use to log in over ftp?
</snip>

I think I would have done it the other way round, ie: have the files
chowned to webteam:httpd.  You could then use sticky permissions to
chmod to 0740.  The webserver group can read the files (php scripts
only need to be readable not executable) but can't change them, while
the webteam user can do anything he/she likes.  If you make the webteam
users primary group httpd, then you have no need for root access at
all.  You can happily create files / folders with the correct
permissions without having to chmod anything.

Does that make sense?

HTH

Cheers

Ronan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.lug.org.uk/pipermail/sussex/attachments/20050804/1ebceaaf/attachment.pgp 


More information about the Sussex mailing list