Page History

...

sudo --gid 3100 dailyplanetwgdailyplanet
sudo --gid 3101 lexcorpwglexcorp
sudo useradd -d /opt/web/php/ckent -m -g wgdailyplanet -u 4001 -c "Clark Kent" -s /bin/bash ckent
sudo useradd -d /opt/web/php/lluthor -m -g wglexcorp -u 40054006 -c "Lex Luthor" -s /bin/bash lluthor

...

The scenario is we want to provide website hosting for two different clients wgdailyplanets who we will start by categorizing into two different groups,

...

All directories must be owned by serveradmin:staff

The utility setfacl is used to add the groups to the ACL for the respective directories,

Take a look at the ACLs,

web Folder

Start by creating the web folder in your home directory so you do not have to keep sudo

cd /opt/web/php/
# Normal sudo mkdir web
#next set the permissions
sudo chmod -R o-rwx ./dailyplanet/
# ACL permissions
sudo setfacl -Rm g:wgdailyplanet:rwX ./dailyplanet/
u+rwX,g+r-w+X,o-rw+X web
sudo chown -R serveradmin:staff web
#now set www-data for the acl
sudo setfacl -Rm g:www-data:rX ./dailyplanetweb/
sudo setfacl -Rm g:staff:rX ./dailyplanetweb/

Now check your permissions for the web folder

getfacl ./dailyplanet/web
# file: www.dailyplanet.comweb
# owner: ckentserveradmin
# group: wgdailyplanetstaff
user::rwx
group::r-x
group:www-data:r-x
group:staff:r-x
#staff is given access in case users belonging to the virtual hosts make files and try to hide them for comprimising the system
group:wgdailyplanet:rwx
mask::rwxr-x
other::---

...

x

...

Once we are happy with the permissions, change the default ACLs so any files or folders created underneath the parent directories are maintained.

Look at the default ACLs,

Now look at the defaults of the folder the default affects the folders and files created within this folder

getfacl --default ./dailyplanet/web
# file: www.dailyplanet/web
# owner: ckentserveradmin
# group: wgdailyplanet

...

staff

To apply the permissions to defaults use

getfacl --access ./dailyplanetweb/ | sudo setfacl -d -RM - ./dailyplanetweb/

getfacl --access =  retrieves the ACL the permissions applied to the directory only (default permissions are not returned). The details are then piped to setfacl and the parameters read,

...

getfacl --default ./dailyplanetweb/
# file: www.dailyplanet/web
# owner: ckentserveradmin
# group: wgdailyplanetstaff
user::rwx
group::r-x
group:www-data:r-x
group:staff:r-x
group:wgdailyplanet:rwx
mask::rwx
other::---

If you want to see what the applied and default look like dont specify

getfacl ./dailyplanetweb/
# file: www.dailyplanet/web
# owner: ckentserveradmin
# group: wgdailyplanetstaff
user::rwx
group::r-x
group:www-data:r-x
group:staff:r-x
group:wgdailyplanet:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:www-data:r-x
default:group:staff:r-x
default:groupmask:wgdailyplanet:rwx
default:other::---

php Folder

Now go into the web folder and create the php folder

cd web
sudo mkdir php
sudo chown -R serveradmin:staff php
getfacl php
# file: php
# owner: serveradmin
# group: staff
user::rwx
group::r-x
group:www-data:r-x
group:staff:r-x
mask::r-x
other::--x
default:user::rwx
default:group::r-x
default:group:www-data:r-x
default:group:staff:r-x
default:mask::r-x
default:other::---

...

x

The php folder has inherited the permissions from web. If you notice the next set of folders do not use execute for others so rather than setting others permission for each folder simply change the php others permission.

cd /opt/web/sudo chmod o-rwx php
#next apply this change to default
getfacl --access ./php/ #| Normal permissions
sudo chmodsetfacl -Rd o-rwxRM - ./lexcorpphp/
##check ACLthe permissions
sudogetfacl setfacl -Rm g:wglexcorp:rwX ./lexcorp/
sudo setfacl -Rm g:www-data:rX ./lexcorp/
sudo setfacl -Rm g:staff:rX ./lexcorp/
# Apply default ACLs
getfacl --access ./lexcorpphp
# file: php
# owner: serveradmin
# group: staff
user::rwx
group::r-x
group:www-data:r-x
group:staff:r-x
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:group:www-data:r-x
default:group:staff:r-x
default:mask::r-x
default:other::---

Setting up the Virtual Hosts Structure

Next create your folders

cd php
sudo mkdir dailyplanet
sudo mkdir lexcorp
sudo mkdir tmp
sudo mkdir logs
#remember serveradmin:staff must own the directory
cd ..
sudo chown -R serveradmin:staff php
#change the php folder permissions back to the way it was
sudo chmod o-rw+X php
getfacl --access ./php/ | sudo setfacl -d -RM - ./php/
#check the permissions 
getfacl php

Now to add the necessary groups to their respective virtual hosts

cd php
sudo setfacl -Rm g:wgdailyplanet:rwX dailyplanet
getfacl --access ./dailyplanet/ | sudo setfacl -d -RM - ./lexcorp/dailyplanet/
cd dailyplanet
sudo mkdir www
sudo mkdir blog
cd ..
sudo chown -R serveradmin:staff dailyplanet

Repeat the same steps for lexcorp and change the group accordingly,

Testing Restrictions

User Lex Luthor has been given access to his directory "lexcorp" but learns of the "dailyplanet" directory by using his robots to spy on Clark Kent's computer. So Lex terminals in...

cd /opt/web/php/
cd dailyplanet
-su: cd: dailyplanet: Permission denied

After failing to enter dailyplanet he enters his own directory lexcorp and creates a directory to keep his evil plan.

cd /opt/web/php/lexcorp
mkdir secrets
chmod 700 secrets
cd secrets
ne evil plan
chmod 700 secrets

Backup and Restore

Introduction

...