Re: ftp to webserver - not as rot

To: ajlewis2@intac.com
Cc: debian-user@lists.debian.org
Subject: Re: ftp to webserver - not as rot
From: "Gregory K. Johnson" <gkj@gregorykjohnson.com>
Date: Sat, 09 Aug 2003 13:27:30 -0400
Message-id: <[🔎] 87ekzuvj0d.fsf@andy.gregorykjohnson.com>
Mail-followup-to: ajlewis2@intac.com, debian-user@lists.debian.org
In-reply-to: <[🔎] 20030809110356.GA13898@intac.com> (Anita Lewis's message of "Sat, 9 Aug 2003 07:03:56 -0400")
References: <[🔎] 20030809110356.GA13898@intac.com>

Anita Lewis <ajlewis2@intac.com> writes:
> I want to be able to work on pages in /var/www, because those pages
> come up when the domain name is accessed via browser. /var/www is
> root.root
>
> Is there a way other than dropping the pages off as user via ftp,
> ssh and su to root and move them, to do this? I'm thinking maybe
> there is a way using groups. Or is there something wrong with my
> thinking about not allowing root ftp?

Allowing unencrypted FTP for any user is a bad idea, but sending the
root password in the clear is a horrible idea, so you're indeed right
to disable root FTP access. It's much better to use SSH-secured
alternatives like scp (secure copy) and sftp (secure file transfer
program), both of which come with OpenSSH, for any type of file
uploading. For an interface like the GUIs of popular FTP clients, you
can use gFTP (for X Windows on UNIX-like OSs), WinSCP (for Microsoft
Windows), or Fugu (for OS X).

One of these clients, WinSCP, has a comparison of scp and sftp:
http://winscp.sourceforge.net/eng/protocols.php

If I remember correctly, some of these clients allow you to run
arbitrary ssh commands from within them. Thus, you could su to root
and then mv and chown the files without needing to start a separate
SSH session. But, as long as you use SSH and have a good root
password, there's little practical reason not to allow root to log in
directly.

Off topic, but in a similar vein: Two things come to mind that you
might be interested in. First is sudo, a program co-written by one of
the co-authors of the UNIX System Administrator's Handbook. You
preface a command with "sudo" to run it as root, and it asks you for
your own password; subsequent sudo commands don't require your
password unless you've been idle for 15 minutes. I've replaced root's
password (in the shadow file, in my case) with a * to disable root
logins. When I need a root shell, I run "sudo su" or "sudo su -m".

Another thing you might be interested in is diceware, a systematic way
to pick easy-to-remember, cryptographically-strong passwords using
dice and a word list. (You'll want md5 passwords enabled for this,
otherwise only the first 8 characters count, which makes for a weak
password.)

-- 
Gregory K. Johnson
http://gkj.gregorykjohnson.com/

Reply to:

References:
- ftp to webserver - not as rot
  - From: Anita Lewis <ajlewis2@intac.com>

Prev by Date: Re: How to clean/align printer cartridges in Debian?
Next by Date: Re: list what is using a module
Previous by thread: RE: ftp to webserver - not as rot
Next by thread: Re: ftp to webserver - not as rot
Index(es):
- Date
- Thread