On my Ubuntu 18.04 server I have created a FTP user (named ftphtm3) for which I want to restrict access to folder /var/www/html3
Here is what I have done so far:
created a FTP directory /var/ftp/ftphtm3 and bound it to /var/www/html3, mount --bind /var/www/html3 /var/ftp/ftphtm3
changed user's home directory: usermod -d /var/ftp/ftphtm3/ ftphtm3
in /etc/vsftpd.conf: chroot_local_user=YES, chroot_list_enable=YES
But then, when with filezilla as user ftphtm3, I land in /var/ftp/ftphtml3 BUT I can still go back to neighbours or parent directories (in fact I have access to all my server).
Do you have any idea what I have missed ?
Thank you
p.s: the steps for "restricting" the access come from this post but I would like if possible to avoid binding directories. I just ftphtm3 to land in /var/www/html3 and to only have access on it. That's it.
Related
I'm working on a git project that has a Dockerfile. When I run ls -l in the .git/objects repo, some of the "xx" directories are owned by me, with permissions 777, and some of the "xx" directories are owned by root, with permissions 755.
When I look into the directories owned by me, some or all of the hashed files will be owned by me with 777 permissions, and maybe some owned by root, with 444 permissions. When I look into the directories owned by root, all of the hashed files are owned by root with 444 permissions.
It seems that I might have run my container with root as container's user, which is why I get root as file owner in some parts of my repository.
I want to use Docker to help run and manage my code, but clearly the way I was using it was causing problems. Do I just need to run Docker as my normal user? If I ran all my git operations outside of the Dockerized terminal, that would probably avoid this as well, right? Or is there something else I can or should do?
Thanks for any and all feedback/advice
I'm trying to setup a singularity container for an image processing application, and I need it to be able to save images to a specified directory. I had originally tried using a straight -B flag, but that seems to mount a directory as read only if the container wasn't being run as root. Is there a way to either make a bind r/w for any user, or would I need to use some sort of scratch directory or fusemount?
The write permissions for the bound directory match those on the host system. If you want anyone to be able to write to a given directory, set permissions on the host with chmod 777 dir_name. Keep in mind this will allow anyone to read, write and delete files in the directory. Consider adding users to a shared group and using group permissions (chmod g+rwX dir_name) if there are people using the server who should not have access.
If the directory has the right permissions but you still can't write to it when it's bound, you may want to use singularity --debug exec ... to see that everything is being correctly bound to the container.
I'm trying to set up continuous deployment of a hugo site using Jenkins on an Ubuntu 16.04 server. I've installed hugo using snap as was recommended on their site. I've been able to get the site working on my main user account, but when I try to have Jenkins do it, it hits this error:
cannot create user data directory: /var/lib/jenkins/snap/hugo/1766: Permission denied
Which seems a little odd because the Jenkins has write permissions to that folder, if I'm reading the permissions correctly:
jenkins#computer: ~$ ls -al /var/lib/jenkins/snap/hugo/1766
total 8
drwxr-xr-x 2 jenkins jenkins 4096 May 11 01:33 .
drwxr-xr-x 4 jenkins jenkins 4096 May 11 01:33 ..
Am I missing something here? Are there other things I need to do?
when I try to have Jenkins do it
Make sure the Jenkins job is actually running as jenkins: add a step in your job to print id -a.
Chances are: it is not running as Jenkins, but as your main account, which does not have the right to write in that folder.
"cannot create user data directory": it is possible 1766 is the id of the user account, created as the user.
Check if creating (as your main account) that 1766 folder, with a chmod 777 (for testing) helps.
Note hugo issue 3143 does mention:
Snaps are read-only for security. We want to prevent a hostile party from sneakily changing the software on your machine, so you cannot modify a snap that is installed on your system. This also means you can always check the signature on the snap, even long after you installed it, to make sure it is still exactly the software you intended. If you want to modify a snap, you can usually build your own version of it, especially if it is open source.
So where can a snap write data? Each snap gets its own set of writable directories which have specific properties. There are two directories which the snap can write to independent of the user. One of these is versioned - each time the snap is upgraded the data is saved and the new snap revision can upgrade its copy. The other ‘common’ data directory is not versioned and is used for big blobs of data that you don’t want to duplicate across revisions of the snap:
/var/snap/<name>/current/ ← $SNAP_DATA is the versioned snap data directory
/var/snap/<name>/common/ ← $SNAP_COMMON will not be versioned on upgrades
Typically, configuration is stored in one of these, along with system-wide data for the snap.
There are also an equivalent two writable directories for each snap in the user home, which can be used to store snap data that is specific to one user or another, separately:
~/snap/<name>/current/ ← $SNAP_USER_DATA that can be rolled back
~/snap/<name>/common/ ← $SNAP_USER_COMMON unversioned user-specific data
You can use the snap edition of Hugo to write (i.e. run hugo new site etc.) anywhere inside your $HOME directory, say ~/tmp/htest, but not in the system-wide /tmp directory.
That matches the "Hugo Install from snap" section:
Hugo-as-a-snap can write only inside the user’s $HOME directory—and gvfs-mounted directories owned by the user—because of Snaps’ confinement and security model.
Use sudo snap install hugo --classic to disable the default security model if you want hugo to be able to have write access in other paths besides the user’s $HOME directory.
I solved this ultimately by:
uninstalling Jenkins with sudo apt-get remove --purge jenkins
creating a standard user account named jenkins
reinstalling Jenkins and
setting the Jenkins Workspace Root Directory to /home/jenkins/workspace/${ITEM_FULL_NAME}
Could also probably be cured by making a directory /home/jenkins that is owned by the Jenkins profile
I'm using capistrano to deploy a rails web app. I want to give the deploy user on the webserver as few privileges as I can. I was able to do everything I need to do as a non-privileged user except restart the webserver.
I'm doing this on an ubuntu server, but this problem is not specific to my use case (rails, capistrano, deployment), and I've seen a lot of approaches to this problem that seem to involve poor security practices. Wondering whether others can vet my solution and advise whether it's secure?
First, not necessary, but I have no idea why /etc/init.d/nginx would need any (even read) access by other users. If they need to read it, make them become root (by sudo or other means), so I:
chmod 750 /etc/init.d/nginx
Since the ownership is owner root, group root (or can be set such with chown root:root /etc/init.d/nginx) only root, or a user properly sudo'ed, can read, change or run /etc/init.d/nginx, and I'm not going to give my deploy user any such broad rights. Instead, I'm only going to give the deploy user the specific sudo right to run the control script /etc/init.d/nginx. They will not be able to run an editor to edit it, because they will only have the ability to execute that script. That means that if a someone gets access to my box as the deploy user, they can restart and stop, etc, the nginx process, but they cannot do more, like change the script to do lots of other, evil things.
Specifically, I'm doing this:
visudo
visudo is a specific tool used to edit the sudoers file, and you have to have sudoer privileges to access it.
Using visudo, I add:
# Give deploy the right to control nginx
deploy ALL=NOPASSWD: /etc/init.d/nginx
Check the sudo man page, but as I understand this, the first column is the user being given the sudo rights, in this case, “deploy”. The ALL gives deploy access from all types of terminals/logins (for example, over ssh). The end, /etc/init.d/nginx, ONLY gives the deploy user root access to run /etc/init.d/nginx (and in this case, the NOPASSWD means without a password, which I need for an unattended deployment). The deploy user cannot edit the script to make it evil, they would need FULL sudo access to do that. In fact, no one can unless they have root access, in which case there's a bigger problem. (I tested that the user deploy could not edit the script after doing this, and so should you!)
What do you folks think? Does this work? Are there better ways to do this? My question is similar to this and this, but provides more explanation than I found there, sorry if it's too duplicative, if so, I'll delete it, though I'm also asking for different approaches.
The best practice is to use /etc/sudoers.d/myuser
The /etc/sudoers.d/ folder can contain multiple files that allow users to call stuff using sudo without being root.
The file usually contains a user and a list of commands that the user can run without having to specify a password. Such as
sudo service nginx restart
Note that we are running the command using sudo. Without the sudo the sudoers.d/myuser file will never be used.
An example of such a file is
myuser ALL=(ALL) NOPASSWD: /usr/sbin/service nginx start,/usr/sbin/service nginx stop,/usr/sbin/service nginx restart
This will allow the myuser user to call all start, stop and restart for the nginx service.
You could add another line with another service or continue to append them to the comma separated list, for more items to control.
Also make shure you have run the command below to secure things
chmod 0440 /etc/sudoers.d/myuser
This is also the way I start and stop services my own created upstart scripts that live in /etc/init
It can be worth checking that out if you want to be able to run your own services easily.
Instructions:
In all commands, replace myuser with the name of your user that you want to use to start, restart, and stop nginx without sudo.
Open sudoers file for your user:
$ sudo visudo -f /etc/sudoers.d/myuser
Editor will open. There you paste the following line:
$ myusername ALL=(ALL) NOPASSWD: /usr/sbin/service nginx start,/usr/sbin/service nginx stop,/usr/sbin/service nginx restart
Save by hitting ctrl+o. It will ask where you want to save, simply press enter to confirm the default. Then exit out of the editor with ctrl+x.
I suppose the title is not entirely accurate. I am able to login to an instance, but I do not see my application in any of the directories. My sense is that I am ssh'ing into the wrong directory.
Does anyone have any experience with this? Thanks.
When you ssh into your AWS instance, you're dropped into your home directory, just as if you're running your own server. From the terminal, try typing:
pwd
You'll likely see something like:
/home/ec2-user
Note that this is your home directory and not your application directory. In other words, your Document Root (where the web application starts with /index.php) is likely something like /var/www/html, so try typing:
cd /var/www/html
ls
The "ls" command shows you the contents of this directory. Here is where you'll build your web application.