Re: owner of dir/files

2003-11-12 Thread Jez Hancock 
First of all please don't reply to an old thread when posting a new
topic - it messes the threading up and confuses things generally.

On Tue, Nov 11, 2003 at 09:58:20AM -0500, M.D. DeWar wrote:
 I just noticed that when I d/led a program and un-tarred it and set it up
 that the directory in the apache web root has
 as owner something like 501:www . I also noticed some others that were
 mysql:mysql or 500:100 for the user/group.
This happens when the owner:group on the source system don't exist on
the destination system.  Say the owner of the files was 'mark' on the
original server and his uid was 501, but no user existed on your system
with uid 501, then the owner would show up just as the UID, in this case
501.

 I am not sure what happens if left that way. Since there is no user/group
 for those does it mean the files won't run or be served ?
Depends on what the permissions of the 'other' bit are. For a file
that's owner:group is 501:www, permissions of 755 on the file
would mean the files would be read/write/executable (7) by the user with UID
501 - in your case noone has that UID so noone has rwx perms other than
root. Similarly the file would be read/executable (5) by the 'www' group
and read/executable (5) by the 'other' group.

So as it is the file would be served by the webserver since the 'www'
user has read/execute access.  However it's not a good idea to leave files
unowned on the system in case you eventually do add a user with UID 501
- in which case they would end up getting rwx perms on the file.

If only the webserver will be accessing the file then you can generally
just do 'chown www:www file' to change the owner:group to www:www.
There are security implications of leaving files rwx by the www user,
especially if the file is a config file and you have other users on the
server that can run cgi scripts - the file could be overwritten by a
malicious script in that case.  For config files it's best to set the
perms to

 In my web root should all directories and files be nobody:nobody  ?
that could work, but only if the perms for 'other' are sufficient to
allow reading of the files - since the web user is in the other group
and needs to be able to read the file to be able to serve it via the
httpd.

 what if some are root:wheel ?
The same holds again, although having files owned by root in a web
docroot isn't a great idea - if the file is a CGI script and a
vulnerability is found in the script and a misconfigured suexec system
is in place, commands could be executed with root permissions.

-- 
Jez Hancock
 - System Administrator / PHP Developer

http://munk.nu/
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

owner of dir/files

2003-11-11 Thread M.D. DeWar 
Hello,
A simple question for you in the know unix guys.

I just noticed that when I d/led a program and un-tarred it and set it up
that the directory in the apache web root has
as owner something like 501:www . I also noticed some others that were
mysql:mysql or 500:100 for the user/group.

I am not sure what happens if left that way. Since there is no user/group
for those does it mean the files won't run or be served ?

In my web root should all directories and files be nobody:nobody  ?

what if some are root:wheel ?

Thanks
Newbie Mark



___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: owner of dir/files

2003-11-11 Thread Jean-Baptiste Quenot 
* M.D. DeWar:

 I just noticed that when I d/led a program and un-tarred it and set it
 up that  the directory in the  apache web root has  as owner something
 like 501:www  . I also  noticed some  others that were  mysql:mysql or
 500:100 for the user/group.

 I  am not  sure  what happens  if  left that  way. Since  there is  no
 user/group for those does it mean the files won't run or be served ?

Whether the files  will be served or  not depends on the  file mode, not
the file owner.   Apache runs as user  www, so www must be  able to read
those  files.  When  files have  mode  644 and  dirs 755,  it is  always
possible to serve a website, whatever the owner (user/group) is.

 In my web root should all directories and files be nobody:nobody ?

The files and directories should be  owned by their actual author, to be
able to change them.

 what if some are root:wheel ?

Then only root will be able to gain the user mode, and only users in the
wheel group  will be able  to gain the group  mode.  For example  if the
mode is 640, root can write to the file, and users in wheel can read the
file.  But Apache won't be able to read it.

See chmod(1) for more details.

Cheers,
-- 
Jean-Baptiste Quenot
http://caraldi.com/jbq/
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]