web directories ownership

pacija

pacija

I am setting up a server whose primary purpose is to serve name-based virtual hosts from Apache, administered by various webmasters who will have "virtual user" chrooted FTP access to web roots of their sites, and database access by means of PHPMyAdmin.

My questions are:
  • Is it safe to have virtual users FTP-authenticated with a UID of "www" and GID of "www", and not as UID of "ftpuser" and GID of "ftpgroup"?
  • I will be implementing MySQL authentication of virtual FTP users. Should I give each virtual FTP user their own high UID and GID? and if so:
  • What should be the ownership and permission for web roots so that they are secure and functional?
 
pacija said:
Is it safe to have virtual users FTP-authenticated with a UID of "www" and GID of "www", and not as UID of "ftpuser" and GID of "ftpgroup"?
Click to expand...
I think this is somewhat of a matter of opinion but mine would be no. Simply because there's no real need to do so in order to make this thing work.

And in the (unlikely) event that something does go wrong it would be a lot easier to revoke access rights from a separate group (ftpgroup) than it would be to change your whole security scheme (because www would have had access anyway).

I'd prefer keeping authorization separated and applying a security model to make it work. Even so; as I mentioned earlier this is most likely a matter of opinion as I can't give hard arguments as to why this would be bad by definition.

I'd still recommend against it though ;)

pacija said:
* I will be implementing MySQL authentication of virtual FTP users. Should I give each virtual FTP user their own high UID and GID? and if so:
* What should be the ownership and permission for web roots so that they are secure and functional?
Click to expand...
I'm starting to wonder what it is you're hoping to gain by all this? If it is an increase in security then you're starting out wrong in my opinion, because the first step to securing your environment is (fully) understanding what is going on.

Using a /etc/passwd (and optionally /etc/shadow) environment which you fully understand (for example; by making sure to set the user accounts shell to something like /sbin/nologin, thus preventing that they can easily logon) can be a lot safer than using a SQL powered authentication scheme which you don't yet fully grasp.

The reason I'm mentioning this is because there is basically not that much difference between them. In the end the FTP server is still relaying ("mapping") the whole lot to a specific system account which you have to determine. And if that account isn't setup in a safe way then it would make all of this immediately meaningless (provided that your aim here is to increase security).

I think this also answers your questions. It doesn't really matter what UID or GID you're going to use because you'll still map each individual account to a specific system account (as can be read in the README file which link you shared yourself).

And you probably want to map the user account(s) to a system account which can access the specific web directories.

There isn't a fitting answer here, we can't tell you what is the best thing to do since it all depends on the security model which you want to use. Or put differently: the way you plan to keep all this safe.
 
Thank you for your comments, @ShelLuser.

I want to use MySQL authentication because I want to be able to delegate FTP user account administration to not-so-technical people. MySQL authentication gives them ability to do it from phpMyAdmin. At the same time, I want to maintain security - FTP user account administrator should not be able to do anything more than create, modify and delete FTP accounts (so no shell access, just phpMyAdmin access with full permission to database that holds user table), and owners of those FTP accounts should not be able to do anything more than to transfer files from and to their chrooted FTP directories.

Now, if FTP was the only purpose of these directories, I would instruct FTP user account administrator to give each FTP user their own UID and GID, but this is where web server comes into play. Those directories' main purpose is to serve web content, mostly they are web roots for CMSs like WordPress. Now, as web server needs write access to some directories (for example for upload of files, in-cms plugin and theme installation etc.), those directories would need 777 permission if I implemented "each FTP user has their own UID and GID" policy.

So, my question is, which solution is better balance between security of my server and security and functionality for my FTP users / web masters:
  • Give each FTP user own UID and GID and force them to use 777 on directories that need to be writable by web server
  • Give each FTP user unique UID and GID of 80 and instruct them to use 775 on directories that need to be writable by web server
  • Give each FTP user UID and GID of 80 and instruct them to use 755 on directories that need to be writable by web server
  • Something else
 
Last edited by a moderator:
You must log in or register to reply here.
Back
Top