Page 1 of 1

Security, suggestions

Posted: Thu Aug 14, 2003 8:26 am
by mikusan
Hi this is pretty simple, i have a script that i would like not to be accessible by users on the same server machine. I am not root and there are many users that can acces each other's information (not write of course, but read and copy are allowed).

Now the solution i am looking for has either to do with the .htaccess code, that i could not find. Or me somehow including my program off another server.

I would prefer some help with the .htaccess but i am also curious about the second option.

Thanks guys!

Posted: Thu Aug 14, 2003 9:13 am
by nielsene
Could you do:

Code: Select all

chmod o-r filename
Assuming you can

Code: Select all

chgrp www-data filename
repace www-data with whatever user your webserver runs as, often www-data, apache, or nobody.

Now the webserver can still read the file, but the local users can't.

Posted: Thu Aug 14, 2003 10:14 am
by mikusan
Well wouldn't that mean that i too will not be able to see the file?
what does

Code: Select all

chgrp www-data filename
do?

Posted: Thu Aug 14, 2003 10:42 am
by nielsene
In *nix systems using the "default"/regular file system each file has three sets of permissions -- owner, user, other -- each set can specifiy read, write, and execute permissions seperately :

So if you see "-rwxw-xr-x" this means that the file has owner read/write/execute, group read/execute and other read/execute.

Normally a file is created with the group=owner so you have something like and some default mask

Code: Select all

touch temp
ls -l temp
-rw-r--r--    1 nielsene nielsene        0 Aug 14 11:38 temp
The -l on ls tells it to do the "long" listing
The first dash on the line is normally used to show if a file is a directoty or softlink. The next three triplets show the permissions. In this case the ownder has read/write, the group has read, and others have read. The double nielsene shows the owner and group.
If I do

Code: Select all

chgrp www-data temp
chmod o-r temp
ls -l
-rw-r-----    1 nielsene www-data        0 Aug 14 11:38 temp
Notice that the group is now 'www-data' and others have lost read privileges. Nielsene, me, the owner, can still read/write the file, even if I'm not in the www-data group.

Posted: Thu Aug 14, 2003 3:23 pm
by m3rajk
a lot find it easier to chmod by number, for that, remember that each group must be represented. that 0 is nothing for that segment. that 1 is execute, 2 is write and 4 is read.

thus chmodding a file at rwxr-xr-x with 640 makes it rw-r----- and broken own to be easier to read...
[rwx][r-x][r-x] chmodded to 640 becomes [r-x][r--][---]

Posted: Thu Aug 14, 2003 6:07 pm
by mikusan
Thanks for the detailed explanation, i had some clue on how they worked but you gave me a more detailed view, I also prefer numbers but nevertheless that's not the point,
How can I chmod a batch of files? I mean if i chmod the directory, do i have to use regression for it to chmod all the containing files or how does that work? And is this more effective than not allowing people to view my folders through a .htaccess code?

On a sidenote i have NEVER figured out how to check what group does anyone belong to. Especially because PHP writes files as another user... hence making it impossible to biew the files until i chmod the dirs through a script... i would like to find out how to determine groups and stuff...any good link to a tutorial...

Thanks

Posted: Thu Aug 14, 2003 7:09 pm
by mikusan
Just to reply to the above post i have ben su'ing my way through comprehending this... so i chmodded my main /var/www/html directory to look like
drwx-----x myself myself
just to note that ^ (the above) has not changed to www-data...

to my understanding that last "execute" allows people to view the page from html and therefore execute all my scripts... i don't seem to be getting your result which is

-rw-r----- 1 nielsene www-data
is that because mine is a dir and yours is a file?
what is that number right after -rw-r-----
thanks!!

Posted: Thu Aug 14, 2003 10:59 pm
by nielsene
OK. for a web-server to serve the file it needs "READ" not "EXECUTE" permission.

The number right after the permissions is the number of links that exist to the file. I beleive a directory will always show atleast 2.

Posted: Thu Aug 14, 2003 11:01 pm
by nielsene
Yes, when doing a directory you should probably do
chmod -R xxx dirname
so all the files inside the directory get the same changes (the -R means recursive)