Please see OITs syscore wiki for a definitive reference of what exists out there for UMBC security.
There is the common need of wanting to have a webpage viewable to the public, but not to allow internal users of UMBC to be able to view the php code. This may be because the code has passwords and accounts hard coded in it, or there is sensitive data.
Use unix’s standard ‘per file’ access controls. Go to the directory you want to lock down, find which files you want to lock down.
It is highly encouraged that you first read about unix file permissions and chmod before attempting to deciper the below.
CORRECT in this case:
chmod 711 * chmod 711 blank.php index.php
The code above are examples of a well locked down file. The 7 gives full access to the admin user. The 1 gives just eXecute access to any group owners of the file. The final 1 gives just eXecute access to EVERYONE. When I say eXecute, this means that anyone can now execute and therefore view the php-ran webpage of it. But the lack of any other permissions for everyone, means that if a student ssh’s in to that directory, they cant view the innards of the file.
INCORRECT in this case:
chmod 755 blah.php chmod 777 *
This is a popular access restriction. This would NOT work in this circumstance, in fact it would be INSECURE. The 7 gives full access to the admin user. The 5 gives Read and eXecute access to group owners of the file. The final 5 gives Read and eXecute access to EVERYONE. This means that a student can cd into that directory via SSH and open or READ those files with passwords in them. This is obviously insecure.
Never use 777 unless very temporarily, for testing purposes (which immediatly has to be set back after testing), or because you very much know what you are doing.
Use Andrew File Systems ‘per directory’ Access Control Lists. Go to the directory you want to lock down. Keep constantly in mind that AFS ACLs work on the directory level security. You are setting the security for an entire directory at a time.
It is highly encouraged that you first read AFS Access Control Lists and other documentation on www.openafs.com, before attempting to decipher the below. Also OITs syscore wiki on AFS is good too.
CORRECT in this case:
linux3[82]% fs listacl . Access list for . is Normal rights: nyeates1:gradbus rlidwka oit.webadmins rlidwk system:administrators rlidwk system:anyuser rl nthomas1 rlidw linux3[83]% fs setacl . system:anyuser l linux3[82]% fs listacl . Access list for . is Normal rights: nyeates1:gradbus rlidwka oit.webadmins rlidwk system:administrators rlidwk system:anyuser l nthomas1 rlidw
The above command line entries first show the current access control list, then modify the list, and finally displays the modified list once again. The system:anyuser user is everyone out there. You do not want anyone out there being able to read (r) your sensitive password-ridden files. We do this by the setacl command, and give the system:anyuser user only list abilities on the current directory. ( . = current directory ).
INCORRECT in this case:
linux3[82]% fs listacl . Access list for . is Normal rights: nyeates1:gradbus rlidwka oit.webadmins rlidwk system:administrators rlidwk system:anyuser rl nthomas1 rlidw
The original case from above is the incorrect case. You do not want system:anyuser to be able to read items in this directory.
Login as a student/unprivelaged user to ssh. See if they can access your files for viewing.
Below is a conversation between Nick Yeates and his student web helper. She was setting up Mambo, a server side CMS, on UMBCs AFS space. Most of the commands talked about are run via the command prompt which is connected to via SSH .
(15:28:02) Ska Dood 1: wget http://www.blah.com/blah.zip
(15:28:05) Ska Dood 1: like that
(15:28:16) lovien2go: okee dokee
(15:28:36) Ska Dood 1: has to be a filename...if u do it on html it will just downlaod the html file for u
(15:43:19) lovien2go: mambo needs to be ableto write to directories itseems to be having acces issuess
(15:43:21) lovien2go: im trying chmod
(15:43:25) lovien2go: okee
(15:43:32) Ska Dood 1: ahhhh, the joys of chmod
(15:43:37) lovien2go: :-p
(15:43:57) Ska Dood 1: so your next lesson from m e....is that changemod, on our system, does not set TRUE file permissions
(15:44:12) Ska Dood 1: we use AFS, which ahs its own system (those fs commands i gave u)
(15:44:19) lovien2go: right
(15:44:24) Ska Dood 1: in AFS, permissions are given to directories
(15:44:44) Ska Dood 1: on things callled ACLs access control lists
(15:44:48) Ska Dood 1: fs listacl
(15:44:57) Ska Dood 1: fs setacl
(15:45:19) Ska Dood 1: u can probly look up documentation for more commands on the web if u google AFS manual or something
(15:45:35) lovien2go: ohboy
(15:47:03) Ska Dood 1: u might need to give the webserver user (www.umbc) access to certain directories so that the server can modify those directories (create pages)
(15:47:23) Ska Dood 1: take a look at the acl settings in /afs/umbc.edu/public/www/gradbusiness/deansearch/data
(15:47:25) Ska Dood 1: :-D
(15:48:45) lovien2go: whats rlidwk?
(15:49:45) lovien2go: nm i got it ;)
(15:50:16) Ska Dood 1: read list insert....u got it?
(15:50:31) Ska Dood 1: a is admin......means u can set permissions to other users
(15:50:44) lovien2go: righttt
(15:51:03) Ska Dood 1: so that is how u might add permissions to the user 'www.umbc' if needed
(15:51:12) Ska Dood 1: yes, VERY confusing
(15:51:19) Ska Dood 1: it took me long to figure it out
(15:51:26) lovien2go: do i need to add user umbc?
(15:51:36) Ska Dood 1: user www.umbc
(15:51:45) Ska Dood 1: only to directories where
(15:51:54) Ska Dood 1: the server might write a file or data
(15:52:04) lovien2go: ahhh!
(15:52:08) Ska Dood 1: so say someone submits some page edits to mambo
(15:52:24) Ska Dood 1: mambo hands it to the webserver to write those edits to a certain directory
(15:52:30) lovien2go: right
(15:52:42) Ska Dood 1: taht directory or files needs user perms for www.umbc (the webserver user)
(15:52:58) lovien2go: thats not the same as system(any user) ?
(15:53:10) Ska Dood 1: no
(15:53:29) Ska Dood 1: that is like the kid coming off the street to our website
(15:53:31) Ska Dood 1: its anyone
(15:53:50) Ska Dood 1: good thing u asked:-D
(15:53:59) Ska Dood 1: i will overlook yer security settings later
(15:54:09) Ska Dood 1: cause there are easy mistakes to make
(15:54:18) Ska Dood 1: and then all a suden anyone can hack yer site
(15:54:36) lovien2go: hhmmm
(15:54:40) lovien2go: ok
(16:00:01) lovien2go: hmm i gave www.umbc write permissions and it still says unwrittable to that dir
(16:00:13) Ska Dood 1: which dir
(16:00:26) lovien2go: administrator/backups
(16:02:23) lovien2go: Oops fixed
(16:02:36) lovien2go: i had it just as w and changed it to rlida....
(16:02:43) lovien2go: too much?
(16:03:59) Ska Dood 1: wait
(16:04:04) Ska Dood 1: do it do rlidwk
(16:04:10) Ska Dood 1: for www.umbc
(16:04:24) Ska Dood 1: cause it doesnt need to change any users access to stuff (which is 'a')
(16:04:31) lovien2go: alright
(16:04:35) Ska Dood 1: but it will need to write, and maybe lock
(16:04:56) lovien2go: yay!
(16:22:42) lovien2go: hmmm..database... ?
(16:28:13) Ska Dood 1: hmmm, huh?
(16:28:22) lovien2go: it wants a database to work from
(16:30:15) Ska Dood 1: Here, this is from a settings.php file on another application that I installed...
(16:44:22) Ska Dood 1: define('MYSERVER','mysql1.umbc.edu');
define('MYLOGIN','nyeates1');
define('MYPASSWORD','********'); // HIDDEN INTENTIONALLY
define('MYDATABASE','nyeates1');
(16:47:54) lovien2go: yay!
(16:48:03) lovien2go: it said success ;)
At UMBC, AFS quotas are in use. You can view them using the AFS’s fs command:
fs lq <dir>
fs lq .
fs listacl <dir>
fs listacl /afs/umbc.edu/public/www/gradbusiness/ fs listacl .
fs setacl <dir> <user> <permission>
fs setacl . dlee3 rlidw fs setacl /download/ nyeates1 write fs setacl . cr3 none
| read | |
| write | |
| all | |
| none | |
| r | Read |
| l | List |
| i | Insert |
| d | Delete |
| w | Write |
| k | locK |
| a | Admin |
find <dir> -type d -exec fs setacl {} <user> <perm> \;
find . -type d -exec fs setacl {} nyeates1 all \;