On Thu, 2013-06-20 at 14:30 +0100, Ian Malone wrote: > On 20 June 2013 04:42, Anthony <lists@xxxxxxxxxxxxxxx> wrote: > > On 06/19/2013 10:19 PM, Reindl Harald wrote: > >> > >> > >> Am 20.06.2013 05:17, schrieb Anthony: > >>> How do I add myself as co-owner of a directory? I set up a new > >>> apache server and need to transfer files to /var/www/html. The > >>> problem is, of course, I've denied root login but don't have > >>> sufficient privs to login and transfer files under my username. > >>> > >>> How can I fix this? > >> > >> man chown man chgrp man setfacl > >> > >> generally the files should not be owned by apache and only > >> writeable by the owner, in your case you > >> > >> from point of security it is very bad if the webserver has > >> write-permissions because it may lead after a small breach in > >> manipulated files wide opening the doors > > > > Thank you. In my case, it looked like root was one of the owners of > > the directory but apache wasn't. The owners were listed as root and > > me. But I couldn't write to it. > > > > I did a chown anthony: /var/www/html and that seems to have given me > > write privs since I'm now the owner. I couldn't find the man page for > > setfacl but I'll dig around the net and see if I can find it. > > > > Just spotted this, so apologies if I've missed some other context, but > to pick up on something you said here: > It's very unsual to have two owners for a file or directory. It might > be possible on some filesystems, but not normal Linux FS. I think you > might be misinterpreting the ls -l output of something like (on this > RHEL machine), > $ls /var/lib/mlocate/ -lhd > drwxr-x---. 2 root slocate 4.0K Jun 20 03:26 /var/lib/mlocate/ > > Where the second name indicates group, not a second owner. Group > members are subject to the group permisions, here slocate doesn't have > write access to this directory. As a normal user not in the group I > don't have read or write access. > > > > In the meantime, I'm assuming simply taking ownership of the directory > > shouldn't open any security holes, right? > > > > Well, weakening permissions always has some security implications, but > as Harald said it's actually having the web server with write > permission that is the thing to avoid. A separate group able to write > to the www directory is the right way to do this, if only one user > needs it then ownership instead is equivalent. A nice solution to this problem is described in the Red Hat documentation for "user private groups", which is how Fedora manages user groups anyway. We have the Web server as a member of a group of users that owns the html directory, along with other users who need to maintain it. Properly implemented, this seems to work well. Google "user private groups" for details. -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
