...
Code Block | ||
---|---|---|
| ||
sudo --gid 3100 dailyplanetwgdailyplanet sudo --gid 3101 lexcorpwglexcorp sudo useradd -d /opt/web/php/ckent -m -g wgdailyplanet -u 4001 -c "Clark Kent" -s /bin/bash ckent sudo useradd -d /opt/web/php/lluthor -m -g wglexcorp -u 40054006 -c "Lex Luthor" -s /bin/bash lluthor |
...
The scenario is we want to provide website hosting for two different clients wgdailyplanets who we will start by categorizing into two different groups,
...
Directory | Permissions | ACL | ACL(default) |
---|---|---|---|
/web/ | rwXr-X--X | www-data:rX | www-data:rX |
/web/php/ | rwXr-X--X | www-data:rX | www-data:rX |
/web/php/tmp/ | rwXr-X--- | www-data:rwX | www-data:rwX |
/web/php/logs/ | rwXr-X--- | www-data:rwX | www-data:rwX |
/web/php/virtualhostdailyplanet/ | rwXr-X--- | www-data:rX clientwgdailyplanet:rwX | www-data:rX clientwgdailyplanet:rwX |
/virtualhostdailyplanet/www/ | rwXr-X--- | www-data:rX clientwgdailyplanet:rwX | www-data:rX clientwgdailyplanet:rwX |
/virtualhostdailyplanet/blog/ | rwXr-X--- | www-data:rX clientwgdailyplanet:rwX | www-data:rX clientwgdailyplanet:rwX |
/virtualhostdailyplanet/blog/wp-content/ | rwXr-X--- | www-data:rwX clientwgdailyplanet:rwX | www-data:rwX clientwgdailyplanet:rwX |
/web/php/lexcorp/ | rwXr-X--- | www-data:rX wglexcorp:rwX | www-data:rX wglexcorp:rwX |
/lexcorp/www/ | rwXr-X--- | www-data:rX wglexcorp:rwX | www-data:rX wglexcorp:rwX |
/lexcorp/blog/ | rwXr-X--- | www-data:rX wglexcorp:rwX | www-data:rX wglexcorp:rwX |
/lexcorp/blog/wp-content/ | rwXr-X--- | www-data:rwX wglexcorp:rwX | www-data:rwX wglexcorp:rwX |
All directories must be owned by serveradmin:staff
The utility setfacl is used to add the groups to the ACL for the respective directories,
Take a look at the ACLs,
web Folder
Start by creating the web folder in your home directory so you do not have to keep sudo
Code Block | ||
---|---|---|
| ||
cd /opt/web/php/ # Normal sudo mkdir web #next set the permissions sudo chmod -R o-rwx ./dailyplanet/ # ACL permissions sudo setfacl -Rm g:wgdailyplanet:rwX ./dailyplanet/ u+rwX,g+r-w+X,o-rw+X web sudo chown -R serveradmin:staff web #now set www-data for the acl sudo setfacl -Rm g:www-data:rX ./dailyplanetweb/ sudo setfacl -Rm g:staff:rX ./dailyplanetweb/ |
Now check your permissions for the web folder
Code Block | ||
---|---|---|
| ||
getfacl ./dailyplanet/web # file: www.dailyplanet.comweb # owner: ckentserveradmin # group: wgdailyplanetstaff user::rwx group::r-x group:www-data:r-x group:staff:r-x #staff is given access in case users belonging to the virtual hosts make files and try to hide them for comprimising the system group:wgdailyplanet:rwx mask::rwxr-x other::--- |
...
x |
...
Once we are happy with the permissions, change the default ACLs so any files or folders created underneath the parent directories are maintained.
Look at the default ACLs,
Now look at the defaults of the folder the default affects the folders and files created within this folder
Code Block | ||
---|---|---|
| ||
getfacl --default ./dailyplanet/web # file: www.dailyplanet/web # owner: ckentserveradmin # group: wgdailyplanet |
...
staff |
To apply the permissions to defaults use
Code Block | ||
---|---|---|
| ||
getfacl --access ./dailyplanetweb/ | sudo setfacl -d -RM - ./dailyplanetweb/ |
getfacl --access = retrieves the ACL the permissions applied to the directory only (default permissions are not returned). The details are then piped to setfacl and the parameters read,
...
Code Block | ||
---|---|---|
| ||
getfacl --default ./dailyplanetweb/ # file: www.dailyplanet/web # owner: ckentserveradmin # group: wgdailyplanetstaff user::rwx group::r-x group:www-data:r-x group:staff:r-x group:wgdailyplanet:rwx mask::rwx other::--- |
If you want to see what the applied and default look like dont specify
Code Block | ||
---|---|---|
| ||
getfacl ./dailyplanetweb/ # file: www.dailyplanet/web # owner: ckentserveradmin # group: wgdailyplanetstaff user::rwx group::r-x group:www-data:r-x group:staff:r-x group:wgdailyplanet:rwx mask::rwx other::--- default:user::rwx default:group::r-x default:group:www-data:r-x default:group:staff:r-x default:groupmask:wgdailyplanet:rwx default:other::--- |
php Folder
Now go into the web folder and create the php folder
Code Block | ||
---|---|---|
| ||
cd web sudo mkdir php sudo chown -R serveradmin:staff php getfacl php # file: php # owner: serveradmin # group: staff user::rwx group::r-x group:www-data:r-x group:staff:r-x mask::r-x other::--x default:user::rwx default:group::r-x default:group:www-data:r-x default:group:staff:r-x default:mask::r-x default:other::--- |
...
x |
The php folder has inherited the permissions from web. If you notice the next set of folders do not use execute for others so rather than setting others permission for each folder simply change the php others permission.
Code Block | ||
---|---|---|
| ||
cd /opt/web/sudo chmod o-rwx php #next apply this change to default getfacl --access ./php/ #| Normal permissions sudo chmodsetfacl -Rd o-rwxRM - ./lexcorpphp/ ##check ACLthe permissions sudogetfacl setfacl -Rm g:wglexcorp:rwX ./lexcorp/ sudo setfacl -Rm g:www-data:rX ./lexcorp/ sudo setfacl -Rm g:staff:rX ./lexcorp/ # Apply default ACLs getfacl --access ./lexcorpphp # file: php # owner: serveradmin # group: staff user::rwx group::r-x group:www-data:r-x group:staff:r-x mask::r-x other::--- default:user::rwx default:group::r-x default:group:www-data:r-x default:group:staff:r-x default:mask::r-x default:other::--- |
Setting up the Virtual Hosts Structure
Next create your folders
Code Block | ||
---|---|---|
| ||
cd php
sudo mkdir dailyplanet
sudo mkdir lexcorp
sudo mkdir tmp
sudo mkdir logs
#remember serveradmin:staff must own the directory
cd ..
sudo chown -R serveradmin:staff php
#change the php folder permissions back to the way it was
sudo chmod o-rw+X php
getfacl --access ./php/ | sudo setfacl -d -RM - ./php/
#check the permissions
getfacl php |
Now to add the necessary groups to their respective virtual hosts
Code Block | ||
---|---|---|
| ||
cd php sudo setfacl -Rm g:wgdailyplanet:rwX dailyplanet getfacl --access ./dailyplanet/ | sudo setfacl -d -RM - ./lexcorp/dailyplanet/ cd dailyplanet sudo mkdir www sudo mkdir blog cd .. sudo chown -R serveradmin:staff dailyplanet |
Repeat the same steps for lexcorp and change the group accordingly,
Testing Restrictions
User Lex Luthor has been given access to his directory "lexcorp" but learns of the "dailyplanet" directory by using his robots to spy on Clark Kent's computer. So Lex terminals in...
Code Block | ||
---|---|---|
| ||
cd /opt/web/php/ cd dailyplanet -su: cd: dailyplanet: Permission denied |
After failing to enter dailyplanet he enters his own directory lexcorp and creates a directory to keep his evil plan.
Code Block | ||
---|---|---|
| ||
cd /opt/web/php/lexcorp
mkdir secrets
chmod 700 secrets
cd secrets
ne evil plan
chmod 700 secrets |
Backup and Restore
Introduction
...