View Single Post
  #4   (View Single Post)  
Old 30th September 2011
BinarySpike BinarySpike is offline
New User
 
Join Date: Aug 2011
Posts: 7
Lightbulb

Quote:
Originally Posted by Carpetsmoker View Post
Eek! The evil chmod 777 rears it's ugly head!

chmod 777 will make the file or directory writable by *everyone*. This includes accounts that are normally used only for system services such as apache, ftpd, ntpd, sendmail, bind, etc. The biggest reason these process run as a separate user and not root, is that this way they cannot files which they should not access. Such as /bin/ls or /etc/passwd ...
This means that if some 1337 haxx0r gains access to, for example, your sendmail through some vulnerability, he/she can only access/change a very limited number of files and (hopefully) the impact is limited.

So, in short I would recommend you never use chmod 777 unless you have a very clear picture of why it's 777 and not something else (One of the few examples of "legal" use is /tmp/)
Understandably this makes it unsafe. I spent 6 hours the night before, and 2 the day after trying to get my groups right... just permissions... I'm sure I punched a fighter jet sized hole in my system and had to go back and clean as much of /etc/group up as I could.

Quote:
Originally Posted by Carpetsmoker View Post
Now, to actually answer the original question.

The guide you posted is for Ubuntu, not OpenBSD
Ubuntu is very different.

If I understand it correctly, you want to have /var/www/htdocs/images/ writable by both Apache and by Squid?

One method of doing that is creating a new group, put both the apache and squid users in that group, and making this directory group writable (Using chmod 775)

I don't know why /usr/local/bin/flip.pl needs to be chmod 777? Since this script is executed I would consider it to be extremely bad security practice to make this world-writable! Maybe the problem you had was that it wasn't executable by everyone? Try chmod 755
I adapted the information for Ubuntu to OpenBSD. I'm not new to unix style systems. My problem is that I have no experience in filesystem permissions. And a lot of mac os x articles tell you, "now: chmod 777 ./Desktop/script.sh" Which is explains why I thought flip.pl had to be 777.

The problem was that I added _squid to www and then tried giving www write permissions to the apache folder. However then it would remove apache's write permissions. I couldn't get both of them in a group that would function correctly. I'm obviously missing something.

You say "making this directory group writable (Using chmod 775), would that mean any group could read/write to that directory? How would I specify that group (for example www) as the only group writable?
Reply With Quote