Re: [cobalt-users] Folder Rights Issue

[Jeff Lasman <blists@xxxxxxxxxxxxx>]

On Tuesday 20 January 2004 01:54 am, Barnaby Mortensen wrote:

> Yes, that's my 'work around' for it.  I'm wondering if there is
> something else I can do.  For example, if I'm developing in
> Dreamweaver, instead of saving files out, then su'ing  and uploading,
> etc. via the command line, how would one develop live on the server
> and avoid these folder rights issues? Is this even possible?

These are all linux security issues.  You can do anything with rights, 
including giving me the ability to delete all your files, from the 
Internet, using only a browser.  But you wouldn't want to do that, 
would you?

You first mentioned being admin, and I'm not sure if you meant 
site-admin, or system admin.

If you're system admin you're not root, but you can shell into the 
system and become root using su.

Giving admin su rights is possible.  In fact it's even easy to do, but 
most of it consider it an incredible security hole.  Of course since 
RaQs us the same password for admin and root, the security hole is 
pretty much there anyway.  If you want to be able to do everything as 
system admin, change the admin gid and uid in /etc/passwd to 0 for each 
of them.  You don't even have to restart anything.

But if you do that you'd better use ssl to log in through the gui, and 
you'd better have all mail to admin forwarded to another user so you 
don't ever pass the password in the clear.

And if you ever have passed the password in the clear, then you should 
change it now.

> Often times if it's a quick change (needing some graphic work, etc.),
> I'll connect through DW via FTP, make the quick edit and save it out
> live on the server..done in like 5 seconds.  I know I can ssh in, SU,
> etc. and do this all with PICO or what have you, but it would be a
> dream if I could fire up DW and make these changes live without
> having to impact the user rights on the folders.

Using DW to log in as the user is a great option.

> My other work around has been to set up a secondary account in DW so
> when I FTP in, I'm using the siteadmin's account.

As you've already figured out.

> But I don't want
> to be responsible for all the siteadmin's usernames and passwords. 
> I'd like to give them SOME privacy.

They'll have more privacy if you have their password than if your box 
gets compromised because you're careless with master passwords and 
permissions.

> I suppose ssh and SU would be my best option to eliminate those
> annoying folders that can't be deleted.  But what about the other
> issues?  Perhaps it's just the nature of the beast and there really
> isn't an easy answer.

There are never easy answers.  There are tradeoffs.  The best way to 
secure your box is to unplug it.  But the tradeoffs are lousy.

<smile>

When we do uploads, changes, etc., we use the admin account and scp to 
move the files to the box; then we log in with ssh, move the files and 
change their permissions as necessary.

But you can have two site-admins, following the instructions I posted as 
a reply to the "proftp overwrite as site admin" thread.

Jeff
-- 
Jeff Lasman, nobaloney.net, P. O. Box 52672, Riverside, CA  92517 US
Professional Internet Services & Support / Consulting / Colocation
Our blists address used on lists is for list email only
Phone +1 909 324-9706, or see: "http://www.nobaloney.net/contactus.html";