From owner-freebsd-questions@FreeBSD.ORG  Sun Dec 20 11:21:24 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9B6191065672
	for <freebsd-questions@freebsd.org>;
	Sun, 20 Dec 2009 11:21:24 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 0D25A8FC13
	for <freebsd-questions@freebsd.org>;
	Sun, 20 Dec 2009 11:21:23 +0000 (UTC)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	(authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id
	nBKBLHnC023417; Sun, 20 Dec 2009 11:21:18 GMT
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk nBKBLHnC023417
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
	d=infracaninophile.co.uk; s=200708; t=1261308078;
	bh=bFLJB3GcpNwPtoavmvKWZIXIMyRbhomZmThkcxMEdCE=;
	h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References:
	In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To:
	Message-ID:Mime-Version:References:To;
	z=Message-ID:=20<4B2E08A7.5020002@infracaninophile.co.uk>|Date:=20S
	un,=2020=20Dec=202009=2011:21:11=20+0000|From:=20Matthew=20Seaman=
	20<m.seaman@infracaninophile.co.uk>|Organization:=20Infracaninophi
	le|User-Agent:=20Thunderbird=202.0.0.23=20(X11/20091129)|MIME-Vers
	ion:=201.0|To:=20Roby=20Sadeli=20<liweitian@gmail.com>|CC:=20freeb
	sd-questions@freebsd.org|Subject:=20Re:=20file=20and=20directory=2
	0permission|References:=20<864079110912200218i26ccce96r2ec4b217c64
	52833@mail.gmail.com>|In-Reply-To:=20<864079110912200218i26ccce96r
	2ec4b217c6452833@mail.gmail.com>|X-Enigmail-Version:=200.95.6|Cont
	ent-Type:=20multipart/signed=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20p
	rotocol=3D"application/pgp-signature"=3B=0D=0A=20boundary=3D"-----
	-------enig267E24478BECCCDD4E08C844";
	b=UTGEsS69TLCIKT92Hg/nf7DEJat3cSYFaPy5fhDgOTQsQXM+5gY0tchMctcRA2Eqy
	NaxFTepyG94lDjsp9eLCT7Y/q9TIp2E0drsZbxr+hVRvPIqVhzvf3t0jwLetpRuVKt
	zolkfDTvss0KRl7BOBp0E9yhMNK0PH4mvhtPg0fg=
X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host
	localhost [IPv6:::1] claimed to be
	happy-idiot-talk.infracaninophile.co.uk
Message-ID: <4B2E08A7.5020002@infracaninophile.co.uk>
Date: Sun, 20 Dec 2009 11:21:11 +0000
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Thunderbird 2.0.0.23 (X11/20091129)
MIME-Version: 1.0
To: Roby Sadeli <liweitian@gmail.com>
References: <864079110912200218i26ccce96r2ec4b217c6452833@mail.gmail.com>
In-Reply-To: <864079110912200218i26ccce96r2ec4b217c6452833@mail.gmail.com>
X-Enigmail-Version: 0.95.6
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="------------enig267E24478BECCCDD4E08C844"
X-Virus-Scanned: clamav-milter 0.95.3 at
	happy-idiot-talk.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.9 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	happy-idiot-talk.infracaninophile.co.uk
Cc: freebsd-questions@freebsd.org
Subject: Re: file and directory permission
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Dec 2009 11:21:24 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig267E24478BECCCDD4E08C844
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Roby Sadeli wrote:
> Hi there.
>=20
> I have been using FreeBSD for some time but my skill is getting really =
rusty.
> I install nginx via the ports collection and it works just fine.
> The data files (html) is located in /usr/local/www/ and the directory
> permission is as follows:
> drwxrwxr-x  5 root   wheel    512 Dec 20 15:54 www
>=20
> and I changed the user/group permission like this:
> # chown -R www:www /usr/local/www
> # chmod -R 775 /usr/local/www
>=20
> My id is user and looks like this:
> # id user
> uid=3D1001(user) gid=3D1001(user) groups=3D1001(user),0(wheel),80(www)
>=20
> I am trying to create a file in the /usr/local/www and I can't.
> Is there something wrong I did here?
>

Well, yes.  But not really anything to do with your principle aim of
being able to edit your web content as a mortal user.  You've opened
up a bit of a security hole by your changes.

It's a common misconception that because the www directory is somehow the=

territory of the web server, then the UID the web server runs as should o=
wn
the files and directories under it.  This is actually a pretty bad idea,
because it means that anyone suborning your web server can then deface yo=
ur
web content.  This sort of attack is generally through a cgi script or th=
rough
PHP or other applications run with the credentials of your web server, bu=
t in
principle it can apply to a web server daemon serving up nothing by stati=
c
content if the daemon has buffer overflow or similar vulnerabilities.

If the web server needs to handle uploaded files then this should be set =
up
to go to a distinct writable area preferably somewhere completely separat=
e from
/usr/local/www.

Or in other words, to achieve the aim you want, do this:

   * Create a new group for people that are allowed to edit the web
     content to belong to. eg:

        # pw group add -n wwwdev

   * Give that group ownership of the files under the web-root:

        # chown -R root:webdev /usr/local/www=20

   * Make files and directories under the web-root group writeable,but
     not world writeable:

        # chmod -R g+w,o-w /usr/local/www  =20

   * Add your own UID as a member of the wwwdev group:

        # pw group mod -n wwwdev -m user

   * Log out and log back in again to update the group membership in your=

     active session.  [Note: this doesn't happen automatically just by mo=
difying
     /etc/groups -- you need to start a new session]=20

   * Possibly adjust the umask setting in your shell initialization files=
 to
     umask=3D002 -- this means by default files you create will be *group=
* writeable.
     note: due to BSD filesystem semantics files will inherit the group o=
wnership
     from the directory they are created in.  On some other Unixoid OSes =
you would
     need to have the directories SGID to achieve the same effect.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


--------------enig267E24478BECCCDD4E08C844
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAksuCK0ACgkQ8Mjk52CukIyXdACfVsLLwqauSb7c6iVEL6eGXeXL
iYsAoI5XiZ6QYjZifuziCHK5DSmFp73b
=L780
-----END PGP SIGNATURE-----

--------------enig267E24478BECCCDD4E08C844--