FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » using scripting languages to automate a browser
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: getting a php capability on ubuntu was Re: using scripting languages to automate a browser [message #180439 is a reply to message #180432] Thu, 14 February 2013 16:15 Go to previous messageGo to previous message
Kim Andr Aker is currently offline  Kim Andr Aker
Messages: 17
Registered: September 2010
Karma:
Junior Member
På Thu, 14 Feb 2013 07:48:44 +0100, skrev Cal Dershowitz
<cal(at)example(dot)invalid>:

> On 02/13/2013 04:40 PM, The Natural Philosopher wrote:
>> On 13/02/13 04:09, Cal Dershowitz wrote:
>>> On 02/12/2013 07:27 AM, The Natural Philosopher wrote:
>>>
>>>> All here by the looks of it
>>>>
>>>> https://help.ubuntu.com/community/ApacheMySQLPHP
>>>>
>>>>
>>>>
>>>
>>> Thanks all for comments. I got as far in the process as to have a
>>> localhost that shows up in a browser and try to write test.php, and I
>>> don't want to get too far ahead of myself with enabling permissions.
>>>
>>> $ cat > test.php
>>> bash: test.php: Permission denied
>>> $ pwd
>>> /var/www
>>> $ cd ..
>>> $ ls -l
>>> total 48
>>> drwxr-xr-x 2 root root 4096 Feb 1 17:18 backups
>>> drwxr-xr-x 18 root root 4096 Feb 12 20:06 cache
>>> drwxrwsrwt 2 root whoopsie 4096 Dec 13 07:35 crash
>>> drwxr-xr-x 2 root root 4096 Apr 23 2012 games
>>> drwxr-xr-x 66 root root 4096 Feb 12 20:07 lib
>>> drwxrwsr-x 2 root staff 4096 Apr 19 2012 local
>>> lrwxrwxrwx 1 root root 9 Jan 23 02:33 lock -> /run/lock
>>> drwxr-xr-x 19 root root 4096 Feb 12 20:07 log
>>> drwxrwsr-x 2 root mail 4096 Apr 23 2012 mail
>>> drwxr-xr-x 2 root root 4096 Apr 23 2012 opt
>>> lrwxrwxrwx 1 root root 4 Jan 23 02:33 run -> /run
>>> drwxr-xr-x 8 root root 4096 Apr 23 2012 spool
>>> drwxrwxrwt 2 root root 4096 Feb 12 20:02 tmp
>>> drwxr-xr-x 2 root root 4096 Feb 12 20:08 www
>>> $
>>>
>>> Without any better notion, I would simply chmod a +w here for www, but
>>> I'd first like to ask if that's a good idea, as sometimes I've found
>>> that when I lack permission to do something, that it's more like
>>> keeping
>>> me from shooting myself in the foot.
>>>
>>> What would you do now?
>> I would make www owned by (IIRC) www-data or whatever apache runs under,
>> and group staff and leave the permissions alone.
>
> Can you elaborate?

Your /var/www folder is owned by the root user, and the permissions are
set to only allow the root user to create and write to files in that
folder.

From your list of users, I'd say the www-data user is the right one for
this scenario. Just run the following command:

sudo chown -R www-data:www-data /var/www

This will change the owner (chown) of the /var/www folder to the
"www-data" user (and the "www-data" group), and all files and folders
within it (-R = recursively). The sudo command is used to run the chown
command with elevated administrator privileges (ie. as the root user). You
may have to provide a password to run that command, though. If you're
already running the command as the root user, you don't need to run it
through "sudo".

The other privileges on the files inside /var/www (read/write/execute) can
stay as they are (no need to use the "chmod" command).

> [snip]
>
> Q,7) Are these the users of my ubuntu system?
>
> After the ellipses, I think all of that got added as I did a LAMP
> install. Now I have a quiver full of questions.

Yes, these are all users of your Ubuntu system, most of these are created
and used for various background services, especially those with a
userid/uid lower than 1000 - each line is in the following format (each
field is separated by ":" - a colon):
username:x:userid:groupid:real name (or description):homedir:shell

http://en.wikipedia.org/wiki/Passwd_(file)

The www-data user and group is the most common user/group created when
installing Apache2 on Ubuntu and Debian systems.

> Q1) Now that I have shown /etc/passwd on-line, have I laid out my cards
> to hackers who just have a lot of time their hands, be bored and want to
> do something interesting. Be aware that my machine and website might
> total one hundred bucks in assets.

The only "useful" information contained in the /etc/passwd file is mainly
the usernames - all the rest is mostly useless to outside attackers (the
password is not revealed in this file, and the homedir and shell paths are
only somewhat useful once the user has already gotten inside). It may
provide a starting point for brute-force hacking, though, but then they'd
also have to know the IP address of your server as well.

> Q2) Do I want to create a group that comprehends all these differing
> agents in apache?

All websites served by Apache run under the user that has been defined for
Apache (usually the user "www-data" and the group "www-data" - this can be
changed in the config files for Apache, though).

--
Kim André Akerø
- kimandre(at)NOSPAMbetadome(dot)com
(remove NOSPAM to contact me directly)
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: CMS Recommendation
Next Topic: On click button in php
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu Nov 28 14:55:28 GMT 2024

Total time taken to generate the page: 0.04954 seconds