Re: ftp to webserver - not as root
On 03-08-09 13:04 -0400, ScruLoose wrote:
> On Sat, Aug 09, 2003 at 05:11:26PM +0200, Wolfgang Fischer wrote:
> > On Sat, 09 Aug 2003 13:30:06 +0200, Anita Lewis wrote:
> > > A user can ftp in and work on pages in their own public_html, but those
> > > pages would appear in /~username. I want to be able to work on pages in
> > > /var/www, because those pages come up when the domain name is accessed via
> > > browser. /var/www is root.root
> > >
> > > Is there a way other than dropping the pages off as user via ftp, ssh and su
> > > to root and move them, to do this? I'm thinking maybe there is a way using
> > > groups. Or is there something wrong with my thinking about not allowing
> > > root ftp?
As you already heard, there's definitely nothing wrong with your
thinking there; that would be an extremely dangerous thing to do
you'll have to set up /etc/proftpd.conf (or whatever the conf file is for
your FTP server). ProFTP (& probably others) allows you to set up
<VirtualHost> directives, similar to Apache, which you can use to keep
providing access to UserDirs and provide /var/www as well, but due to the
FTP protocol you need either: a dedicated IP address for each VirtualHost,
or: to run ProFTP as a standalone server (as opposed to inetd) and assign
each VirtualHost a different port number... at least that's my
understanding, I never tried the second method
maybe there are other ways..
> What I've done personally is to create a webauthors group, chgrp'ed
> /var/www from root.root to root.webauthors, and added my regular user
> account to that group. It seems to work okay for me.
>
> Mind you, I'm a complete newbie at the webserver thing, so before you
> do what I did, you might want to wait and see whether some more
> experienced folks point out some glaring problem with it... ;-)
>
I took this same tactic, so am curious what holes people will poke into
it as well. I've even taken it a little further by sgid'ing /var/www:
drwxrwsr-x 15 root www-adm 4096 Aug 9 18:31 www
I also don't have root owning most of the webroot subdirectories, I
*think* you're okay as long as it's not owned/writable by www-data (or
whoever owns the Apache process)
(and I am the only www-adm, so I don't have to worry about one site's
owner getting into the other sites)
Reply to: