Limit user access to home folder in Linux
Don't keep database configs world-readable. Limit them to the www-data user and/or group. Actually, limit the entire home directories to their owner and the www-data group.
chgrp -R www-data /home/user
chmod -R u=rwX,g=rXs,o= /home/user
(The g=s bit will make all newly created files inherit the www-data group.) Also set the default umask (in /etc/profile or via PAM) to 027, which denies access to "others" by default.
Of course, this is easy to bypass. One just has to write a webpage (PHP or similar) that reads the other users' configs. A better solution would be to install suPHP, which makes CGI webpages run in their owner's account; with suPHP you do not need the www-data group ownership – just limit all files to their owner (u=rwX,go=). However, this can possibly introduce a different security hole – WordPress would now have write permissions to the entire website, and considering the security history of WP, this is bad.
As for the rest of the system – /var, /usr, /etc – most of it is not sensitive. The pieces that are, are already protected by standard permissions. Don't bother hiding the rest.
Related videos on Youtube
03 : 31
13 : 30
08 : 19
02 : 36
09 : 10
Etienne Levesque Guitard
BY DAY: Drupal developer for the Government of Canada BY NIGHT: Systems development and Linux servers FOR FUN: Way too many TV series, books about finance
Updated on September 18, 2022Comments
-
Etienne Levesque Guitard over 1 year
Possible Duplicate:
Limit every user to his own home folder onlyI have a web server running 10.04 LTS and as a newbie in the world of server administration, I'm in a bind.
I would kindly ask that you do not divert the question. I am conscious I have some things wrong such as having root enabled, but that is not why I'm posting here. Thanks =D
Situation
Right now, I have three users. Root, which obviously has access to everything, and two other users that each own a website.
For these two users, their website is located in their respective home folder in an extra folder they each have Read, Write & Execute permissions on. This is the only folder they can write to. They cannot delete it, or change anything outside the folder.
So far so good, except that by default, they can also read any file in the system, meaning they can navigate to my other websites' folders and read, for instance, the database passwords from WordPress config files.
This is obviously problematic.
The users access their files and folders through SSH with FileZilla.
Question
- How can I prevent these users from reading sensitive data, i.e. how can I restrict their access to only their home folder?
Requirements
The users must continue to login through SSH with FileZilla (i.e. no FTP solutions)
Apache must still be able to access the user's folders (i.e. cannot chmod to 750)
Known Problems
- Folder containing the command line tools (/bin/bash I think) will probably have to be symlinked in the user's home folder? Please explain how to do this.
If you have an answer, I'd appreciate if you could write it in a way that assumes I know nothing about the command line. I'm like these users who don't know how to copy paste a file in Windows, except with the command line on Linux T_T
Thanks =D
-
Mokubai over 12 yearspossible duplicate of Limit every user to his own home folder only and also Ubuntu: limiting user account only to access his home dir
-
Etienne Levesque Guitard over 12 yearsIs the www-data group a default that comes with Apache? What if I use both www-data group ownership and suPHP, do I eliminate the WP security hole?
-
user1686 over 12 years@Étienne: I think it comes with Ubuntu itself... at least on Debian it certainly does. // If you use suPHP, then the www-data group is never actually used -- suPHP switches entirely to the file owner's account.
