Re: getting a php capability on ubuntu was Re: using scripting languages to automate a browser [message #180439 is a reply to message #180432] |
Thu, 14 February 2013 16:15 |
Kim Andr Aker
Messages: 17 Registered: September 2010
Karma:
|
Junior Member |
|
|
På Thu, 14 Feb 2013 07:48:44 +0100, skrev Cal Dershowitz
<cal(at)example(dot)invalid>:
> On 02/13/2013 04:40 PM, The Natural Philosopher wrote:
>> On 13/02/13 04:09, Cal Dershowitz wrote:
>>> On 02/12/2013 07:27 AM, The Natural Philosopher wrote:
>>>
>>>> All here by the looks of it
>>>>
>>>> https://help.ubuntu.com/community/ApacheMySQLPHP
>>>>
>>>>
>>>>
>>>
>>> Thanks all for comments. I got as far in the process as to have a
>>> localhost that shows up in a browser and try to write test.php, and I
>>> don't want to get too far ahead of myself with enabling permissions.
>>>
>>> $ cat > test.php
>>> bash: test.php: Permission denied
>>> $ pwd
>>> /var/www
>>> $ cd ..
>>> $ ls -l
>>> total 48
>>> drwxr-xr-x 2 root root 4096 Feb 1 17:18 backups
>>> drwxr-xr-x 18 root root 4096 Feb 12 20:06 cache
>>> drwxrwsrwt 2 root whoopsie 4096 Dec 13 07:35 crash
>>> drwxr-xr-x 2 root root 4096 Apr 23 2012 games
>>> drwxr-xr-x 66 root root 4096 Feb 12 20:07 lib
>>> drwxrwsr-x 2 root staff 4096 Apr 19 2012 local
>>> lrwxrwxrwx 1 root root 9 Jan 23 02:33 lock -> /run/lock
>>> drwxr-xr-x 19 root root 4096 Feb 12 20:07 log
>>> drwxrwsr-x 2 root mail 4096 Apr 23 2012 mail
>>> drwxr-xr-x 2 root root 4096 Apr 23 2012 opt
>>> lrwxrwxrwx 1 root root 4 Jan 23 02:33 run -> /run
>>> drwxr-xr-x 8 root root 4096 Apr 23 2012 spool
>>> drwxrwxrwt 2 root root 4096 Feb 12 20:02 tmp
>>> drwxr-xr-x 2 root root 4096 Feb 12 20:08 www
>>> $
>>>
>>> Without any better notion, I would simply chmod a +w here for www, but
>>> I'd first like to ask if that's a good idea, as sometimes I've found
>>> that when I lack permission to do something, that it's more like
>>> keeping
>>> me from shooting myself in the foot.
>>>
>>> What would you do now?
>> I would make www owned by (IIRC) www-data or whatever apache runs under,
>> and group staff and leave the permissions alone.
>
> Can you elaborate?
Your /var/www folder is owned by the root user, and the permissions are
set to only allow the root user to create and write to files in that
folder.
From your list of users, I'd say the www-data user is the right one for
this scenario. Just run the following command:
sudo chown -R www-data:www-data /var/www
This will change the owner (chown) of the /var/www folder to the
"www-data" user (and the "www-data" group), and all files and folders
within it (-R = recursively). The sudo command is used to run the chown
command with elevated administrator privileges (ie. as the root user). You
may have to provide a password to run that command, though. If you're
already running the command as the root user, you don't need to run it
through "sudo".
The other privileges on the files inside /var/www (read/write/execute) can
stay as they are (no need to use the "chmod" command).
> [snip]
>
> Q,7) Are these the users of my ubuntu system?
>
> After the ellipses, I think all of that got added as I did a LAMP
> install. Now I have a quiver full of questions.
Yes, these are all users of your Ubuntu system, most of these are created
and used for various background services, especially those with a
userid/uid lower than 1000 - each line is in the following format (each
field is separated by ":" - a colon):
username:x:userid:groupid:real name (or description):homedir:shell
http://en.wikipedia.org/wiki/Passwd_(file)
The www-data user and group is the most common user/group created when
installing Apache2 on Ubuntu and Debian systems.
> Q1) Now that I have shown /etc/passwd on-line, have I laid out my cards
> to hackers who just have a lot of time their hands, be bored and want to
> do something interesting. Be aware that my machine and website might
> total one hundred bucks in assets.
The only "useful" information contained in the /etc/passwd file is mainly
the usernames - all the rest is mostly useless to outside attackers (the
password is not revealed in this file, and the homedir and shell paths are
only somewhat useful once the user has already gotten inside). It may
provide a starting point for brute-force hacking, though, but then they'd
also have to know the IP address of your server as well.
> Q2) Do I want to create a group that comprehends all these differing
> agents in apache?
All websites served by Apache run under the user that has been defined for
Apache (usually the user "www-data" and the group "www-data" - this can be
changed in the config files for Apache, though).
--
Kim André Akerø
- kimandre(at)NOSPAMbetadome(dot)com
(remove NOSPAM to contact me directly)
|
|
|