1

[ubuntu] Locking down /var/www properly

view story
linux-howto

http://ubuntuforums.org – It seems to me that there are as many ways to do this as there are sysadmins out there. This is what I came up with. Security of /var/www is left as-is. Security of the directories and subdirectories under /var/www have the following perm/user/group: drwxrws--- martijn www Security of files in those directories (recursive) is: -rw-rw---- martijn www martijn is the owner. www is the group. www-data is member of www. I need my websites to be writable by themselves. Please don't dive into this, this is just the way I need it. For this requirement, the security seems quite alrigh (Hardware)

colm's picture
Submitted by colm on 09/11/2012

Stories similar to [ubuntu] Locking down /var/www properly

I wanted to ask about connecting EC2 to RDP in AWS.

I have added my EC2 Security Group (that contains the EC2 instances) into the Default RDP Group and Data is flowing - the connection works.

The EC2 Security group has Port 80 to 0.0.0.0/0 and SSH to my IP enabled.

I ran some security tests on a Ubuntu 12.04 server, and i've got theses warnings :

PHP may be executing as a "privileged" group, which could be a serious security vulnerability. PHP may be executing as a "privileged" user, which could be a serious security vulnerability.

In /etc/apache2/envvars i have this :

export APACHE_RUN_USER=www-data export APACHE_RUN_GROUP=www-data

And all files in /v

We're setting up a CentOS 6.2/ Apache web server with higher security requirements than I'm used to.

I've set up a user group called "web" and I want to limit it's members to only being able to read, write and execute in /var/www/html/ and subdirectories.

Within our AD set-up there are a lot of security groups, but only 1 distribution group (that a previous admin created). Both types of group contain lists of domain objects (users in the one I was looking at).

What is the difference between a Security Group and a Distribution Group?

I have an instance with security group A and an instance with Security group B. They have the internal IPs: 10.0.0.41 (A) and 10.0.2.215 (B) A does not have B as allowed in the security group A, and vice versa. But they suppose to be on the same intranet. Is it possible to connect those Windows instances? For example to allow 10.0.0.41 to connect to 10.0.2.215:22?

Written by: Stuart Corner | Published in: StrategyThe Cloud Security Alliance (CSA) and Fujitsu Laboratories of America have formed the Big Data Working Group to "address the need for collaborative research and solutions to today's big data security challenges."

What is the correct way to set up directories to allow user uploads on Linux? My websites upload dir is 755, but Linux naturally doesn't let files be written to this directory except by the user. So should I change the directory to 777 or do some kind of group manipulation? Bare in mind, I don't want to open myself up to any security risks.

Bret Hartman, a well-known and highly regarded 30-year security industry veteran, is Cisco System’s (NASDAQ: CSCO) new chief technology officer for the Security Technology Group, according to a blog by Chris Young, Cisco senior vice president, Security and Government Group. Hartman, most recently CTO at RSA, EMC’s (NYSE: EMC) security division, is tasked with defining Cisco’s overall security tech

Any ideas how to allow one non-root process to access (read&write) all home directories without compromising security?