Re: ftp to webserver - not as root

To: debian-user@lists.debian.org
Subject: Re: ftp to webserver - not as root
From: kenneth dombrowski <kenneth@ylayali.net>
Date: Sat, 9 Aug 2003 19:26:41 -0400
Message-id: <[🔎] 20030809232641.GA7785@ylayali.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20030809170426.GA29037@shorty.ca>
References: <iA58.8hR.1@gated-at.bofh.it> <[🔎] pan.2003.08.09.15.11.24.667458@freenet.de> <[🔎] 20030809170426.GA29037@shorty.ca>

On 03-08-09 13:04 -0400, ScruLoose wrote:
> On Sat, Aug 09, 2003 at 05:11:26PM +0200, Wolfgang Fischer wrote:
> > On Sat, 09 Aug 2003 13:30:06 +0200, Anita Lewis wrote:
> > > A user can ftp in and work on pages in their own public_html, but those
> > > pages would appear in /~username. I want to be able to work on pages in
> > > /var/www, because those pages come up when the domain name is accessed via
> > > browser.  /var/www is root.root 
> > > 
> > > Is there a way other than dropping the pages off as user via ftp, ssh and su
> > > to root and move them, to do this?  I'm thinking maybe there is a way using
> > > groups.  Or is there something wrong with my thinking about not allowing
> > > root ftp?

As you already heard, there's definitely nothing wrong with your
thinking there; that would be an extremely dangerous thing to do

you'll have to set up /etc/proftpd.conf (or whatever the conf file is for 
your FTP server). ProFTP (& probably others) allows you to set up 
<VirtualHost> directives, similar to Apache, which you can use to keep
providing access to UserDirs and provide /var/www as well, but due to the 
FTP protocol you need either: a dedicated IP address for each VirtualHost, 
or: to run ProFTP as a standalone server (as opposed to inetd) and assign 
each VirtualHost a different port number... at least that's my 
understanding, I never tried the second method

maybe there are other ways..

> What I've done personally is to create a webauthors group, chgrp'ed
> /var/www from root.root to root.webauthors, and added my regular user
> account to that group. It seems to work okay for me.
> 
> Mind you, I'm a complete newbie at the webserver thing, so before you
> do what I did, you might want to wait and see whether some more
> experienced folks point out some glaring problem with it...  ;-)
> 

I took this same tactic, so am curious what holes people will poke into
it as well. I've even taken it a little further by sgid'ing /var/www:

drwxrwsr-x   15 root     www-adm      4096 Aug  9 18:31 www

I also don't have root owning most of the webroot subdirectories, I
*think* you're okay as long as it's not owned/writable by www-data (or
whoever owns the Apache process)

(and I am the only www-adm, so I don't have to worry about one site's
owner getting into the other sites)

Reply to:

References:
- Re: ftp to webserver - not as rot
  - From: Wolfgang Fischer <Wolfgang_.fischer@freenet.de>
- Re: ftp to webserver - not as root
  - From: ScruLoose <scruloose+debuser@eastlink.ca>

Prev by Date: Re: /dev/dsp
Next by Date: Re: /dev/dsp
Previous by thread: Re: ftp to webserver - not as root
Next by thread: RE: ftp to webserver - not as rot
Index(es):
- Date
- Thread