31

I recently installed Ubuntu server on my server to try out the linux as a new user. I followed a tutorial on how to set up the web server which said I need to chmod 777 the web server dir so that it can be written into.

Anyway, I created a new account for one dude to allow him to see some files on the server which I placed in his home dir:

adduser francis

After creating the account I checked what access he has with 

groups francis

It said "francis : francis", so not a problem I thought, the ubuntu hasn't included him in any groups by default, which makes sense, it created him with no extra permissions security-wise, so everything is fine and dandy. A week later, in absolute and utter horror, I found out that even though he couldn't do things like SUDO or mess around in system directories, he had full access to almost everything else on the server. For example he had full read/write access to my web server files at /var/www (and thus passwords stored in php configs files etc) even though that directory is NOT in his home directory and I never added him into any groups which could access that directory, nor I granted him any special access to anything ever after doing the adduser.

Anyway, what is going on here? How do I kill his access to anything important? He should not be able to access stuff like /media or /var/www. I thought that new users were by default prevented from doing anything dangerous or snooping where they shouldn't be.

So the sum it up, I only need to allow him access to directories which I manually specify + to directories which he needs to function properly (his home dir, vim, nano etc..)

Thank you

mwfearnley
  • 3,317
  • 2
  • 22
  • 28
Askerman
  • 826
  • 4
    What permissions do you have on those directories? 755? – You'reAGitForNotUsingGit Sep 27 '16 at 14:35
  • 4
    I followed some tutorial on how to set up the web server which said I need to chmod 777 the web server dir so that it can be written into – Askerman Sep 27 '16 at 14:39
  • 3
    On my server you need sudo to write to var/www.I think you have serious permission issues on your setup. – Organic Marble Sep 27 '16 at 14:41
  • Not the webserver where the (linux variant of) exe files and stuff are, but rather the /var/www where the web page files are stored – Askerman Sep 27 '16 at 14:41
  • 31
    You're doing chmod 777 and asking why everyoone can read write there? read the man page for chmod – Anwar Sep 27 '16 at 14:42
  • 16
    Yeah, 777 is your problem, for multiple reasons. – You'reAGitForNotUsingGit Sep 27 '16 at 14:42
  • 3
    @Askerman Please provide the link to this tutorial so we can attempt to fix it. – edwinksl Sep 27 '16 at 14:43
  • @edwinksl it wasn't on this website, it was a video youtube tutorial, i don't have the link anymore. I assumed that chmod wasn't a problem because I thought the usergroups work the same way i used them in windows: it doesn't matter if the file is 777 or not because it won't even let you access it in the first place if you aren't in the owner group – Askerman Sep 27 '16 at 14:45
  • 21
    @Askerman - Nope, when you give 777, everyone can access everything, please give this a read: https://www.linux.com/learn/understanding-linux-file-permissions – You'reAGitForNotUsingGit Sep 27 '16 at 14:49
  • Hmm. 640 comes to mind – Elder Geek Sep 27 '16 at 14:59
  • 3
    Yeah the first 7 is for the owner, the second 7 is for the owner's group, and the third 7 is for everyone. And since 7=R+W+X, you gave everyone read, write, and execute permissions on that directory. – Aaron Sep 27 '16 at 15:04
  • 5
    does this help? http://askubuntu.com/questions/386928/default-permissions-for-var-www – Zanna Sep 27 '16 at 15:05
  • 1
    @Aaron - Exactly, which is why I suggested they read: https://www.linux.com/learn/understanding-linux-file-permissions – You'reAGitForNotUsingGit Sep 27 '16 at 15:05
  • 11
    We all make mistakes, especially when we're learning in an entirely new environment. This is a good one to learn from, it's definitely wise to shed your notions of how things work in Windows when using a Linux based OS. After reverting your permissions, you should notice that the user can't change anything that they shouldn't be able to. If you used chmod elsewhere, you may have other problems though. – Arronical Sep 27 '16 at 15:10
  • 8
    FYI- I am upvoting this question because it's actually a good one for new people to find. And this misconception is probably more common than we think. This is also a good example of why you shouldn't just copy commands you find on the internet (even here) without knowing what they do. – Aaron Sep 27 '16 at 15:25
  • 4
    Also, why are passwords stored unhashed, in plaintext, in files anyone can read?? – cat Sep 27 '16 at 19:32
  • 7
    @cat Some passwords, like the passwords to connect to SQL servers, have to be in plaintext because they have to be used. That being said, your question of why they are stored ... in files anyone can read is a valid question. I think it's answered by the chmod 777 issue – Cort Ammon Sep 28 '16 at 00:56
  • Has the question been editted? I see no mention in it of chmod or 777 – Mawg says reinstate Monica Sep 28 '16 at 06:39
  • @Arronical the problem is not that he made a mistake but that he makes mistakes with a server in the internet. People keep wondering why there are bots everywhere DDOSing around like in the case of Krebs and the solution is because there are a ton of guys who try out stuff with Youtube tutorials from who knows who. – dryman Sep 28 '16 at 07:50
  • 2
    @Mawg It's in the (probably hidden by default) comments. – TripeHound Sep 28 '16 at 07:56
  • 5
    Thanks (+1). It would be nice if the OP would update the question, otherwise much of this discussion including *the answer is meaningless* and of no help whatsoever to people finding this question in future. @Askerman - can you do that, please? – Mawg says reinstate Monica Sep 28 '16 at 08:41
  • 2
    @dryman I know that, you know that, but someone new to doing this doesn't. I'm in no way defending what the OP did, but don't think it's constructive for people to come on and make negative comments about them, without attempting to contribute any knowledge or solution. Also aren't many members of botnets just compromised routers? – Arronical Sep 28 '16 at 08:55
  • @Arronical You are right but it is simply frustrating. And no, not everybody who is new to this does not know this. When I was new to this I didn't think about renting a potential 100mbit capable server there for the taking though I could have. I still personally only have a little box at home available through VPN only. And yes most DDOS devices nowadays seem to be routers and network cameras and stuff but they at least don't have such fast connections and so much power like the ghostships idling around the internet. Not to talk about warez ircs and alle the other nasty stuff around. – dryman Sep 28 '16 at 09:39
  • 1
    @dryman I know what you mean, I feel like having a server with ports open to the internet is actually a big responsibilty, and one I'd not try until fully informed. I agree that the proliferation of dodgy youtube tutorials is a bad thing. I have a feeling that they're talking about a bare metal home server though. – Arronical Sep 28 '16 at 10:05
  • @Arronical If this is the case and it is only a home server I admit I overreacted though it is still a bad idea to have it directly connected to the internet. I feel the same about the responsibility. As a developer a vroot server is of course tempting but since I can not guarantee the appropriate maintenance I refrain from doing so. – dryman Sep 28 '16 at 11:38
  • Coming here after so many comments, it wasn't obvious why everyone was talking about chmod 777.. I've upvoted @Askerman's comment for this reason, but maybe it should be part of the question. – mwfearnley Sep 28 '16 at 19:43

5 Answers5

40

This is as designed. And worse. chmod 777 means... "I'd like the owner, anyone in his group, and anyone at all to have read, write and execute permissions"

Which is pretty terrible.

And for a web server, 777 is not optimal. 755 (Owner has full permissions group and others have read + execute) is a common default but from what you've said you want at least read-write, or read-write execute for the owner (the web server user), and maybe the group, and no permissions for the user. There's a more complete questions on what appropriate permissions levels are on serverfault but consider something like 640 or 740.

that said, you could also put the user in his own little world - setting up chroot to keep the user in his own space in the system. There's guides floating around for doing this - for example oli's excellent answer here which may be an option depending on your needs.

Community
  • 1
Journeyman Geek
  • 3,013
19

Essentially, it breaks down like this:

R = 4 (read)
W = 2 (write)
X = 1 (execute)

So, read permissions only would be 4, read and write would be 6, read and execute would be 5, and all (read, write, execute) is 7. This is how you compute a permission octet value for an owner, owner's group, or everyone.

When applying those permissions with chmod to a file or directory location, the numbers computed above are applied like this, with an octet each for owner, group, and everyone:

     $ chmod _ _ _ <file or directory>
             | | |
owner--------  | |
owner's group--  |
everyone---------

So if I wanted to give myself and my group read, write and execute permissions to a folder that I owned, but I didn't want everyone to even be able to read it, I'd use:

$ chmod 770 myDirectory

For more information, check the man page for chmod:

$ man chmod
Aaron
  • 6,714
  • If you can't remember the bits to add together to make the right permissions in the right order, you can also use the arguably easier to read chmod ugo+rwx <...>.

    The characters stand for user, group, other; read, write, execute. You can use '-' to remove ( eg: chmod go-wx <...>).

    Just note that this only adds or removes exactly what you type. chmod ugo+rwx <file>; chmod u+rwx <file> does not remove access for group/other.

     – ReactiveRaven Sep 28 '16 at 14:51
  • @ReactiveRaven That's a great point. But the OP was obviously confused about what chmod 777 did, so that was where I directed my explanation. – Aaron Sep 28 '16 at 15:37
  • @Zanna Good call! – Aaron Sep 29 '16 at 18:56
5

As others have mentioned you should not have permissions set to 777

Here's a helpful reference sheet that i use. 

+-----+---+--------------------------+
| rwx | 7 | Read, write and execute  |
| rw- | 6 | Read, write              |
| r-x | 5 | Read, and execute        |
| r-- | 4 | Read,                    |
| -wx | 3 | Write and execute        |
| -w- | 2 | Write                    |
| --x | 1 | Execute                  |
| --- | 0 | no permissions           |
+------------------------------------+
You can use the octal notation, where the three digits correspond to the user, then group, then other. 
Perhaps this might help 
+------------+------+-------+
| Permission | Octal| Field |
+------------+------+-------+
| rwx------  | 700  | User  |
| ---rwx---  | 070  | Group |
| ------rwx  | 007  | Other |
+------------+------+-------+
WhyAyala
  • 151
  • 4
3

In order to share files with a person you gave a login to, you don't need to do anything in particular. On a default Debian installation, users have access to each others' home directories.

For instance,

$ ls -ld ~
drwxr-xr-x 65 zwets zwets 4096 Sep 29 12:06 /home/zwets

Permissions on my home directory are read (r) and access (x) for any user on my system. Only I additionally have write (w) access.

Also, the default umask on Ubuntu is such that files and directories that users create are world readable by default. You could set the umask to 077 if you didn't want that.

What this means that in a default setup, if user you wants to share document ~/README.txt with me, then there's nothing you needs to do. I can simply view it:

$ who am i
zwets    pts/26       2016-09-29 08:05 (:pts/19:S.6)
$ ls -l ~you/README.txt
-rw-r--r-- 1 you you 24 Sep  8 11:23 /home/you/README.txt
$ cat ~you/README.txt
You's shared thoughts.

I can't edit or remove the file, but I can copy it to a location where I have write permission. Then I own the copy:

$ echo "Adding my thoughts." >> ~you/README.txt
bash: /home/you/README.txt: Permission denied
$ rm ~you/README.txt
rm: remove write-protected regular file '/home/you/README.txt'? yeah!
rm: cannot remove '/home/you/README.txt': Permission denied
$ cp ~you/README.txt ~zwets
$ ls -l ~/README.txt
-rw-r--r-- 1 zwets zwets 24 Sep  29 14:09 /home/zwets/README.txt

There are good reasons why most of the system is world readable by default, as I've explained in another answer on AskUbuntu. However, on a shared system it may make sense to make home directories inaccessible to non-owners:

$ chmod o-rwx ~
$ ls -l ~
drwxr-x--- 65 zwets zwets 4096 Sep 29 12:06 /home/zwets

... as many users apparently aren't aware of the default - QED ;-). It would be wiser though to make users aware that file permissions don't protect secrets.

Community
  • 1
zwets
  • 12,354
1

In Ubuntu, any user has superuser privilege who are added in the group 'sudo', Please check it to ensure that no other user are added in this group.

To secure your files and directory from other users you can set permission as suggested by Mr. Journeyman Geek in above answer.

You can also use special permissions to secure your files and directories from others.

Puneet Dixit
  • 756