Date: Sun, 20 Dec 2009 11:21:11 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Roby Sadeli <liweitian@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: file and directory permission Message-ID: <4B2E08A7.5020002@infracaninophile.co.uk> In-Reply-To: <864079110912200218i26ccce96r2ec4b217c6452833@mail.gmail.com> References: <864079110912200218i26ccce96r2ec4b217c6452833@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig267E24478BECCCDD4E08C844
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Roby Sadeli wrote:
> Hi there.
>=20
> I have been using FreeBSD for some time but my skill is getting really =
rusty.
> I install nginx via the ports collection and it works just fine.
> The data files (html) is located in /usr/local/www/ and the directory
> permission is as follows:
> drwxrwxr-x 5 root wheel 512 Dec 20 15:54 www
>=20
> and I changed the user/group permission like this:
> # chown -R www:www /usr/local/www
> # chmod -R 775 /usr/local/www
>=20
> My id is user and looks like this:
> # id user
> uid=3D1001(user) gid=3D1001(user) groups=3D1001(user),0(wheel),80(www)
>=20
> I am trying to create a file in the /usr/local/www and I can't.
> Is there something wrong I did here?
>
Well, yes. But not really anything to do with your principle aim of
being able to edit your web content as a mortal user. You've opened
up a bit of a security hole by your changes.
It's a common misconception that because the www directory is somehow the=
territory of the web server, then the UID the web server runs as should o=
wn
the files and directories under it. This is actually a pretty bad idea,
because it means that anyone suborning your web server can then deface yo=
ur
web content. This sort of attack is generally through a cgi script or th=
rough
PHP or other applications run with the credentials of your web server, bu=
t in
principle it can apply to a web server daemon serving up nothing by stati=
c
content if the daemon has buffer overflow or similar vulnerabilities.
If the web server needs to handle uploaded files then this should be set =
up
to go to a distinct writable area preferably somewhere completely separat=
e from
/usr/local/www.
Or in other words, to achieve the aim you want, do this:
* Create a new group for people that are allowed to edit the web
content to belong to. eg:
# pw group add -n wwwdev
* Give that group ownership of the files under the web-root:
# chown -R root:webdev /usr/local/www=20
* Make files and directories under the web-root group writeable,but
not world writeable:
# chmod -R g+w,o-w /usr/local/www =20
* Add your own UID as a member of the wwwdev group:
# pw group mod -n wwwdev -m user
* Log out and log back in again to update the group membership in your=
active session. [Note: this doesn't happen automatically just by mo=
difying
/etc/groups -- you need to start a new session]=20
* Possibly adjust the umask setting in your shell initialization files=
to
umask=3D002 -- this means by default files you create will be *group=
* writeable.
note: due to BSD filesystem semantics files will inherit the group o=
wnership
from the directory they are created in. On some other Unixoid OSes =
you would
need to have the directories SGID to achieve the same effect.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig267E24478BECCCDD4E08C844
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAksuCK0ACgkQ8Mjk52CukIyXdACfVsLLwqauSb7c6iVEL6eGXeXL
iYsAoI5XiZ6QYjZifuziCHK5DSmFp73b
=L780
-----END PGP SIGNATURE-----
--------------enig267E24478BECCCDD4E08C844--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B2E08A7.5020002>