Since I am having a Django
PermissionError at /
I need to change permissions on my folders. My question is what is the right level of permission for those folders which still secures my server? I use Apache on Ubuntu.
Short answer: you need to set r-x for group owner, which must be www-data, and can use rwx for owner, which must be your user; only directories which www-data need to write (as repository for media files uploaded by clients) must be rwx for group owner.
For a more specific answer you need to provide some context about your issue: where are your files placed?, when do you get that error?
Related
My system is:
Ubuntu 10.04 / Apache2
The question is related to the sofware vftpd - an ftp server for linux (https://security.appspot.com/vsftpd.html)
I have installed vftpd and it works fine. I am having an issue though trying to understand why users are able to delete files which are owned by root. I have set up the ftp server with the option "local_enable=YES" and also "chroot_local_user=YES" so that the users cannot navigate outside their home directory.
The strange thing is that if a file is owned by root, the ftp users are able to delete it. Is a user able to delete any file in the home directory regardless of who owns it?
I want to prevent users from being able to delete files, or allow other users to only have read access to the home directories of other users.
If anyone knows the vftpd software and can help i´d be most grateful,
yours,
Rob
Have you checked which is the chmod of the files? If all files belongs to the same group, and the group have read and write privileges, any user can modify the files through ftp.
I have a java servlet. When it saves files, it saves them as tomcat:tomcat (in a linux environment). I actually need it to save it as sportsfan:tomcat as sportsfan is the FTP user and also needs access to create, modify or overwrite these files.
I thought about running tomcat as sportsfan:tomcat, but I'm running multiple applications under the one tomcat instance.
Perhaps the best way to do this would be to have the FTP user log in as part of the tomcat group. Would that be a correct way?
Please advise.
Adding your sportsfan user ftp to the tomcat group could be a good solution but before that check which are the modifiable files in you system with this permission and consider the security risks.
Another solution: Create a sportsfan group and add your sportsfan user to it. Then change the group of your upload directory and set it as setgid:
chgrp sportsfan upload
chmod g+s upload
After that the new files in the upload will be created with tomcat:sportsfan owner:group. It's not exactly what you asked for but changing the user id (setuid directories) is not supported on Linux. Wikipedia has a pretty good article about setuid and setgid directories. Futhermore, you have to set the umask value of the tomcat user to 000x (e.g. 0002) or a similar value which gives full access to the group.
3rd solution: set up a cron job which changes the permission in every n minutes.
I have installed joomla on my new account . All the files are showing the FTP username as the owner of files . But when i go to joomla admin section and check directory permissions , it says the few folders are unwritable .
Does it mean that admin page is using different user than FTP username
Its not about ownership, usually its about permissions. If you want to understand it all - there is a quite extensive FAQ
http://forum.joomla.org/viewtopic.php?t=121470
Short one - look into the the test results - note the files and directories to be changed. Depending on the security configuration of your Web server the recommended default permissions is:
755 for directories
644 for files
change them. For Filezilla (a free ftp client - my best guess on what you are using) a good tutrial how change file permissions is :
http://www.codeunit.co.za/2008/07/18/remotely-changing-multiple-linux-file-permissions-with-filezilla/
Since the owner usually has the most rights, changing the ownership of all files to the http-server process owner could also work' but then again - you would have to do this each time and its not possible via ftp.
Yes, if this is hosted on apache, the apache server usually runs as user www-data.
I want to share a folder among all users of a group : dev. So that all files are regardless of the owner can be edited by anyone in the group.
I have created the shared folder and set the respective permissions to the folder.
When a user creates a new file in that folder it belongs to owner:dev
But the permission for the files are rw-r--r--
So other users who belong the same group are not able to edit the files.
Like default group become "dev" how can I set the default permission for the files created in that directory.
I don't want to use "umask" technique because the user will upload files into that directory throuh ftp and other tools.
This really belongs on serverfault and I already mentioned there's almost an exact duplicate there, but anyway there's a nice little solution you can use, which is the FUSE bindfs module (there's a package in ubuntu). You use it to mount one directory onto another mountpoint and can set things such as the default permissions of any files created here, their owner, group and the permissions of files already in the directory (which is what you seem to want).
I don't want to use "umask" technique because the user will upload files into that directory throuh ftp and other tools.
That's the only way to do it, unless those "other tools" are themselves able to adjust permissions.
If you have root access, you can set the default umask for everyone to 002 from /etc/bashrc (assuming bash the default shell for the users in question).
A hack (and this is less preferable to umask) is to setup a cron job that will run every minute and do a chmod -R g+w <dir>.
I am a bit lost with Linux file and directory permissions. What I would like to do is have one user be able to create, delete, and rename directories, while other users are not able to do so, but they should be able to read and write to the directories as well as traverse them.
So group 'storage' has access to directory /workspace, those are the users which are not supposed to be able to create, delete, or rename directories. Group 'storageAdmin' also has access to directory /workspace, but is able to create, delete, or rename directories within.
Whenever 'storageAdmin' creates a new directory it should automatically be accessible to 'storage' such that they can read and write files within it.
Am I correct in that /workspace needs to be owned by 'storageAdmin' and be set to chmod 775 for this to work properly?
The correct permissions are 2775, setting the set gid bit too. This causes new files and directories to inherit the parent's permissions, owner and group.
Be aware though, that the standard unix permissions do not allow you to restrict access to the directory to the storage group after chgrping it to storageAdmin. Everyone has access now according to the other permission set.
Use Posix ACLs or SE Linux if you really need more fine grained access controls.