Hi All,
On one of my servers I have a personal account and root. I disable root for ssh logins and run ssh on an alternative port. When 'scp'ing files I usually scp them up, then ssh in 'su' root and move them to /var/www/html.
I can sftp I realize, but what group can I add my personal account to, but not root, so I can sftp in and put the files in /var/www/html?
Secondarily /var/www/html/<my website> is owned by root:root, can I change this to something else so my sftp'ing is easier? apache:apache as owner?
-Jason
On Sun, Jan 30, 2011 at 11:14 PM, Jason S-M slackmoehrle.lists@gmail.com wrote:
Hi All,
On one of my servers I have a personal account and root. I disable root for ssh logins and run ssh on an alternative port. When 'scp'ing files I usually scp them up, then ssh in 'su' root and move them to /var/www/html.
I can sftp I realize, but what group can I add my personal account to, but not root, so I can sftp in and put the files in /var/www/html?
There are a dozen ways to do this. One is to uplodate with WebDAV over HTTPS, which is built into Apache on CentOS and has plenty of usable clients such as lftp. Another is simply to designate a directory under /var/www/html/, owned by you personally, that the apache user can browse. That give you direct upload access as yourself.
On one of my servers I have a personal account and root. I disable root
for ssh logins and run ssh on an alternative port. When 'scp'ing files I usually scp them up, then ssh in 'su' root and move them to /var/www/html.
I can sftp I realize, but what group can I add my personal account to,
but not root, so I can sftp in and put the files in /var/www/html?
There are a dozen ways to do this. One is to uplodate with WebDAV over HTTPS, which is built into Apache on CentOS and has plenty of usable clients such as lftp. Another is simply to designate a directory under /var/www/html/, owned by you personally, that the apache user can browse. That give you direct upload access as yourself.
Right, but giving myself a directory doesn't allow me to put files other places in /var/www/html....
My goal here is to be able to use my iPad over my ssh port to pull down files, edit them and save them back. Also, upload new files when I am at my desktop.
With /var/www/html owned by root:root and me loggin in as 'jason' I cannot accomplish this. I don't allow root logins over ssh...
So I think that something needs to change.
Would I change /var/www/html/<my domain> owner to myid:mygroup? I am not sure the famifications of this and how Apache would behave, etc.
-Jason
Todd wrote:
> On one of my servers I have a personal account and root. I disable root for ssh logins and run ssh on an alternative port. When 'scp'ing files I usually scp them up, then ssh in 'su' root and move them to /var/www/html. > > I can sftp I realize, but what group can I add my personal account to, but not root, so I can sftp in and put the files in /var/www/html? There are a dozen ways to do this. One is to uplodate with WebDAV over HTTPS, which is built into Apache on CentOS and has plenty of usable clients such as lftp. Another is simply to designate a directory under /var/www/html/, owned by you personally, that the apache user can browse. That give you direct upload access as yourself.Right, but giving myself a directory doesn't allow me to put files other places in /var/www/html....
My goal here is to be able to use my iPad over my ssh port to pull down files, edit them and save them back. Also, upload new files when I am at my desktop.
With /var/www/html owned by root:root and me loggin in as 'jason' I cannot accomplish this. I don't allow root logins over ssh...
So I think that something needs to change.
Would I change /var/www/html/<my domain> owner to myid:mygroup? I am not sure the famifications of this and how Apache would behave, etc.
The whole of /var/www can belong to myid:mygroup as long as the apache user can read it. If apache must write some files somewhere (eg via a cgi script), it needs write access to that specific somewhere, but that's it.
> On one of my servers I have a personal account and root. I
disable root for ssh logins and run ssh on an alternative port. When 'scp'ing files I usually scp them up, then ssh in 'su' root and move them to /var/www/html. > > I can sftp I realize, but what group can I add my personal account to, but not root, so I can sftp in and put the files in /var/www/html? There are a dozen ways to do this. One is to uplodate with WebDAVover
HTTPS, which is built into Apache on CentOS and has plenty of usable clients such as lftp. Another is simply to designate a directoryunder
/var/www/html/, owned by you personally, that the apache user can browse. That give you direct upload access as yourself.
I write nothing out on the file system at all for this site.
-Jason
Nicolas Thierry-Mieg wrote:
Todd wrote:
> On one of my servers I have a personal account and root. I disable root for ssh logins and run ssh on an alternative port. When 'scp'ing files I usually scp them up, then ssh in 'su' root and move them to /var/www/html.
Or sudo. Or you can have a cron job that looks and moves, that runs as root.
> > I can sftp I realize, but what group can I add my personal account to, but not root, so I can sftp in and put the files in /var/www/html?
<snip>
With /var/www/html owned by root:root and me loggin in as 'jason' I cannot accomplish this. I don't allow root logins over ssh...
<snip>
Would I change /var/www/html/<my domain> owner to myid:mygroup? I am not sure the famifications of this and how Apache would behave, etc.
The whole of /var/www can belong to myid:mygroup as long as the apache
<snip> Not a great idea. Rather, I'd recommend that it be the apache user (apache or httpd, whichever you have it as, and have the directory of a group that you belong to (remember, you can have multiple secondary groups, like, say, group httpd), and make it group writeable.
mark
Hi Mark,
With /var/www/html owned by root:root and me loggin in as 'jason' I cannot accomplish this. I don't allow root logins over ssh...
<snip> >> Would I change /var/www/html/<my domain> owner to myid:mygroup? I am not >> sure the famifications of this and how Apache would behave, etc. > > The whole of /var/www can belong to myid:mygroup as long as the apache <snip>
Not a great idea. Rather, I'd recommend that it be the apache user (apache or httpd, whichever you have it as, and have the directory of a group that you belong to (remember, you can have multiple secondary groups, like, say, group httpd), and make it group writeable.
I don't quite follow.
if I do a 'getent groups' I do have apache as a group.
So you are saying set the owner of /var/www/html<my domain> and all files below to apache:apache and then add my personal id to the apache group?
-Jason
Hey, Todd,
Todd wrote:
With /var/www/html owned by root:root and me loggin in as 'jason' I cannot accomplish this. I don't allow root logins over ssh...
<snip> > Would I change /var/www/html/<my domain> owner to myid:mygroup? I am > not sure the famifications of this and how Apache would behave, etc.
The whole of /var/www can belong to myid:mygroup as long as the apache
<snip>
Not a great idea. Rather, I'd recommend that it be the apache user (apache or httpd, whichever you have it as, and have the directory of a
group
that you belong to (remember, you can have multiple secondary groups,
like,
say, group httpd), and make it group writeable.
I don't quite follow.
if I do a 'getent groups' I do have apache as a group.
Or if you just type "groups" from the command line....
So you are saying set the owner of /var/www/html<my domain> and all files below to apache:apache and then add my personal id to the apache group?
And make the directory you want to upload stuff into, not /var/www/html, but /var/www/html/<yourdomain>/<maybewhatever>, group writeable, then sudo usermod -G apache myusername
mark
m.roth@5-cent.us wrote:
Todd wrote:
With /var/www/html owned by root:root and me loggin in as 'jason' I cannot accomplish this. I don't allow root logins over ssh...
<snip> > Would I change /var/www/html/<my domain> owner to myid:mygroup? I am > not sure the famifications of this and how Apache would behave, etc.
The whole of /var/www can belong to myid:mygroup as long as the apache
<snip>
Not a great idea. Rather, I'd recommend that it be the apache user (apache or httpd, whichever you have it as, and have the directory of a
group
that you belong to (remember, you can have multiple secondary groups,
like,
say, group httpd), and make it group writeable.
I don't quite follow.
if I do a 'getent groups' I do have apache as a group.
Or if you just type "groups" from the command line....
So you are saying set the owner of /var/www/html<my domain> and all files below to apache:apache and then add my personal id to the apache group?
And make the directory you want to upload stuff into, not /var/www/html, but /var/www/html/<yourdomain>/<maybewhatever>, group writeable, then sudo usermod -G apache myusername
again: this is bad advice, httpd is runing as user apache so you should avoid giving that user write access to stuff in /var/www/ unless it needs to (CGI, file uploads, etc...). The apache user only needs read access. The users editing the content need write access. Make /var/www/* owned by root, or yourself, or some brand new account, but not by apache. Then use groups and sgid bits to give write access (to relevant subdirs) to whoever needs to edit the content.
Nicolas Thierry-Mieg wrote:
m.roth@5-cent.us wrote:
Todd wrote:
With /var/www/html owned by root:root and me loggin in as 'jason' I cannot accomplish this. I don't allow root logins over ssh...
<snip> > Would I change /var/www/html/<my domain> owner to myid:mygroup? I am > not sure the famifications of this and how Apache would behave, etc.
The whole of /var/www can belong to myid:mygroup as long as the apache
<snip>
Not a great idea. Rather, I'd recommend that it be the apache user (apache or httpd, whichever you have it as, and have the directory of a group that you belong to (remember, you can have multiple secondary
groups,
like, say, group httpd), and make it group writeable.
<snip>
So you are saying set the owner of /var/www/html<my domain> and all files below to apache:apache and then add my personal id to the apache
group?
And make the directory you want to upload stuff into, not /var/www/html, but /var/www/html/<yourdomain>/<maybewhatever>, group writeable, then sudo usermod -G apache myusername
again: this is bad advice, httpd is runing as user apache so you should avoid giving that user write access to stuff in /var/www/ unless it needs to (CGI, file uploads, etc...). The apache user only needs read access. The users editing the content need write access. Make /var/www/* owned by root, or yourself, or some brand new account, but not by apache. Then use groups and sgid bits to give write access (to relevant subdirs) to whoever needs to edit the content.
Well, root wouldn't work for him, since he's preventing remote login. But making the directory - and I did mean something *under* /var/www/html/his_site, *not* his whole site - of webmin group, or whatever he wants, and adding himself to that group, then making that group writeable, would seem to me to meet both his needs and your suggestions, Nicolas.
mark
m.roth@5-cent.us wrote:
Nicolas Thierry-Mieg wrote:
Todd wrote:
With /var/www/html owned by root:root and me loggin in as 'jason' I cannot accomplish this. I don't allow root logins over ssh...
<snip> >> Would I change /var/www/html/<my domain> owner to myid:mygroup? I am not >> sure the famifications of this and how Apache would behave, etc. > > The whole of /var/www can belong to myid:mygroup as long as the apache <snip> Not a great idea. Rather, I'd recommend that it be the apache user (apache or httpd, whichever you have it as, and have the directory of a group that you belong to (remember, you can have multiple secondary groups, like, say, group httpd), and make it group writeable.
so you prefer giving the apache user write access to /var/www ? Is this really a good thing...? I agree with the group advice though, if you have several users modifying the website content of course.
On Mon, 2011-01-31 at 18:05 +0100, Nicolas Thierry-Mieg wrote:
so you prefer giving the apache user write access to /var/www ? Is this really a good thing...? I agree with the group advice though, if you have several users modifying the website content of course.
Apache is wonderfully flexible where "root" or "base" directories can be created for USER applications.
There is absolutely NO need to let any HTML user rummage around in /var/www/. My advice is keep them well-out and disable any dodgy 'Alias' links.
All my web sites are created as virtual hosts and the base directories start at /data/web/domain-name/public/. Thus no web user gets the chance of roaming anywhere except above /data/web/domain-name/public/. PHP routines used on web pages are in /data/sys to which no web user can get access.
Also avoid having phpMyAdmin off the main web directory. Ordinary users don't need access and should never have access to it. Hide it away somewhere and create a virtual Apache host to use it with a non-standard port number. Make it hard for the hackers and spoilers to find it.
/data is a directory created in the operating system's root directory and may reside on its own partition.
Always Learning wrote:
On Mon, 2011-01-31 at 18:05 +0100, Nicolas Thierry-Mieg wrote:
<snip>
Also avoid having phpMyAdmin off the main web directory. Ordinary users don't need access and should never have access to it. Hide it away somewhere and create a virtual Apache host to use it with a non-standard port number. Make it hard for the hackers and spoilers to find it.
Um, no. The answer is yum remove phpMyAdmin on a production system. As I read the logs for all our servers, and a number are world-visible websites, I can't tell you the number of times I've seen probes looking for that.
<snip> mark
Also avoid having phpMyAdmin off the main web directory. Ordinary users
don't need access and should never have access to it. Hide it away somewhere and create a virtual Apache host to use it with a non-standard port number. Make it hard for the hackers and spoilers to find it.
Um, no. The answer is yum remove phpMyAdmin on a production system. As I read the logs for all our servers, and a number are world-visible websites, I can't tell you the number of times I've seen probes looking for that.
I don't run PHPMyAdmin, I connect to my MySQL over SSH and obviously run SSH on an alternative port and don't allow root log-ins.
But I do have some fun with those that try and snoop for URL's like /Php-my-admin, /p/m/a, /admin, /sqlweb, etc, etc. If I see something new show up, I add it. I redirect them through ReWrite rules to a RewriteRule .* http://%%7BREMOTE_ADDR%7D%%7BREQUEST_URI%7D [L,R=301,QSA]
-Jason
Todd wrote:
Also avoid having phpMyAdmin off the main web directory. Ordinary users
don't need access and should never have access to it. Hide it away somewhere and create a virtual Apache host to use it with a
non-standard
port number. Make it hard for the hackers and spoilers to find it.
Um, no. The answer is yum remove phpMyAdmin on a production system. As I read the logs for all our servers, and a number are world-visible websites, I can't tell you the number of times I've seen probes looking for that.
I don't run PHPMyAdmin, I connect to my MySQL over SSH and obviously run SSH on an alternative port and don't allow root log-ins.
But I do have some fun with those that try and snoop for URL's like /Php-my-admin, /p/m/a, /admin, /sqlweb, etc, etc. If I see something new show up, I add it. I redirect them through ReWrite rules to a RewriteRule .* http://%%7BREMOTE_ADDR%7D%%7BREQUEST_URI%7D [L,R=301,QSA]
Hmmm... what's that do? The thought that comes to mind is to redirect them to a known malware site, or some site that you consider to have the most obnoxious set of popups/popunders/driftons (preferably all at the same time), or maybe a pr0n site....
mark "and I think you should deposit at least 1% of that $25M US in this bank account I'll set up...."
It redirects them back to them self, actually and they get whatever they might be running for a web-server on the local machine if anything. It nothing they get a not found
http://en.wikipedia.org/wiki/HTTP_301
On Mon, Jan 31, 2011 at 11:50 AM, m.roth@5-cent.us wrote:
Todd wrote:
Also avoid having phpMyAdmin off the main web directory. Ordinary users
don't need access and should never have access to it. Hide it away somewhere and create a virtual Apache host to use it with a
non-standard
port number. Make it hard for the hackers and spoilers to find it.
Um, no. The answer is yum remove phpMyAdmin on a production system. As I read the logs for all our servers, and a number are world-visible websites, I can't tell you the number of times I've seen probes looking for that.
I don't run PHPMyAdmin, I connect to my MySQL over SSH and obviously run SSH on an alternative port and don't allow root log-ins.
But I do have some fun with those that try and snoop for URL's like /Php-my-admin, /p/m/a, /admin, /sqlweb, etc, etc. If I see something new show up, I add it. I redirect them through ReWrite rules to a RewriteRule .* http://%%7BREMOTE_ADDR%7D%%7BREQUEST_URI%7D [L,R=301,QSA]
Hmmm... what's that do? The thought that comes to mind is to redirect them to a known malware site, or some site that you consider to have the most obnoxious set of popups/popunders/driftons (preferably all at the same time), or maybe a pr0n site....
mark "and I think you should deposit at least 1% of that $25M US in this bank account I'll set up...."
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
We've got a CentOS/Apache server with a ton of "content providers" that only have write access to specific directories. In our case, we use ACLs to grant access to the specific parts of the /var/www/html tree. If there's only one or two users, we usually add individual ACL entries for each, if there's a herd[1] of them we set up a group, make them members, and set the ACLs to use the group. I'm surprised nobody brought it up already!
[1] users come in herds, like all forms of cattle.
--On Sunday, January 30, 2011 8:14 PM -0800 Jason S-M slackmoehrle.lists@gmail.com wrote:
Secondarily /var/www/html/<my website> is owned by root:root, can I change this to something else so my sftp'ing is easier? apache:apache as owner?
I would avoid giving the apache user write access to anything under /var/www/html unless it absolutely needs it. That prevents a rogue break-in through the web server from rewriting your web content and creating a back door into your system.
I can sftp I realize, but what group can I add my personal account to, but not root, so I can sftp in and put the files in /var/www/html?
Adding to this:
My son (who is 12) has his own domain now and is using iWeb to publish his website to an old server that I have. Well he is getting a fair number of visitors and is starting to expand his site and learn MySQL and PHP.
So I want to move his domain to my CentOS box away from the Windows and IIS he is using now. No problem.
I want him to publish over SFTP.
1. I can create him an account on the box 2. I can set him as the owner of his directory in /var/www/html/<his domain>
My question is Would I make his users home directory /var/www/html/<his domain> so he automatically gets dumped there?
-Jason
Todd wrote:
I can sftp I realize, but what group can I add my personal account to, but not root, so I can sftp in and put the files in /var/www/html?
Adding to this:
My son (who is 12) has his own domain now and is using iWeb to publish his website to an old server that I have. Well he is getting a fair number of visitors and is starting to expand his site and learn MySQL and PHP.
So I want to move his domain to my CentOS box away from the Windows and IIS he is using now. No problem.
I want him to publish over SFTP.
- I can create him an account on the box
- I can set him as the owner of his directory in /var/www/html/<his
domain>
My question is Would I make his users home directory /var/www/html/<his domain> so he automatically gets dumped there?
Have his profile cd there on login?
mark
-
Always Learning -
Jason S-M -
Jay Leafey -
Kenneth Porter -
m.roth@5-cent.us -
Nico Kadel-Garcia -
Nicolas Thierry-Mieg -
Todd