Bod has asked for the wisdom of the Perl Monks concerning the following question:

This is not directly related to Perl, but it is to allow one of my team to start working on our Perl scripts...

Our Debian 12 webserver has Apache and Plesk installed. All Perl scripts under the webroot have the 'owner' set to a user created by Plesk for that website and the 'group' set to psacln. The 'permissions' for each script is set to 0755.

I log on as root, so have no issue accessing Perl scripts and other files.

I've created an FTP account for a team member and added them to the psacln group. They can read files on the server but cannot edit them because the write permission is set for the owner only. Of course, I could change the permissions to 0775 which would give the FTP account write access but I'm concerned about doing that for two reasons.

  1. It seems like a security risk
  2. Apache gives a 403 error for scripts set to 0775

I assume Apache can be set to run scripts with the group write bit set. But is this a good idea or is there a better way to give read/write access to an FTP account?

Replies are listed 'Best First'.
Re: [OT] FTP user permissions
by hippo (Archbishop) on Dec 04, 2024 at 23:50 UTC
    I assume Apache can be set to run scripts with the group write bit set.

    In general, yes. However I suspect that you have it running with suEXEC in which case, no. See point 16 in the suEXEC security model. This is by design and is for security reasons.

    🦛

[reply]
Re: [OT] FTP user permissions
by NERDVANA (Priest) on Dec 06, 2024 at 09:05 UTC
    If you mean classic FTP, yes this is a huge security risk because the password is sent in plaintext over the wire. Nobody should be using classic FTP for anything unless there is no other option. The alternatives are ftps (SSL+classic FTP) or sftp (SSH with file-transfer subsystem). Everyone should be using sftp, and ideally connecting with an authorized_key instead of a password.

    If you trust them enough to let them run scripts on the server, then presumably you trust them enough to also log into the server as the Plesk website user. In that case you can just configure sftp for that user so that they are pushing files to "sftp://website-user@webhost/htdocs/cgi" or something like that. SSH has various directory permissions that must be maintained for that to work, but should be doable. The files will arrive as the correct user, so no changes are needed to Apache.

    My preferred CGI design is to have one user or group owning the files and a *different* user lacking any write permission executing the files. See if Plesk will let you configure it that way. (I've never used Plesk)

    Keep in mind that you need to trust this user to also be cgi-savvy and not open any security holes of their own! The old CGI pattern of doing things where a directory contains a mixture of code and static content and is writable as the user executing the script has a long track record of vulnerabilities. There's a reason everyone moved to application frameworks deployed in containers from version control.

[reply]
      Everyone should be using sftp

      Unfortunately, Plesk only allows SFTP for the system user.

      When an FTP account is created in Plesk, it doesn't seem to create an account in the normal way. It appears to be some kind of alias. When I use id username I do not get username:username but instead the sub account and a Plesk defined group.

      Instead, I have tried creating an SFTP account manually which works and gives access to the entire server. When I restrict access using a Match command in /etc/ssh/sshd_config, it goes back to being read only.

[reply]
[d/l]
[select]
        The manual option requires fiddling with some permissions on a normal OpenSSH system. Here're the relevant bits for the servers I manage:

        /etc/ssh/sshd_config 

        AllowGroups ... ssh-ftp-only ...

...

Match Group ssh-ftp-only
        ChrootDirectory %h
        ForceCommand internal-sftp -d upload
        PermitTTY no

        [download]
        Then add your user to that group, and set their shell to /usr/local/sbin/scponlyc if available.

        Then you need these permissions on their home directory: 

        drwxr-x--- 5 root   user     4096 Jun 12  2017 /home/user/
drwx------ 2 root   root     4096 Nov  7  2016 /home/user/.ssh
drwxr-xr-x 2 user   user     4096 Feb 27  2020 /home/user/upload

        [download]

        This is because letting them modify their own .ssh directory or create a /lib directory within their chrooted home would also let them escape the chroot, so ssh checks for those cases before letting them write anything.

        When they connect, the current directory will be the chroot's /upload directory, and that will be the only directory they can write.

[reply]
[d/l]
[select]

        Unfortunately, Plesk only allows SFTP for the system user.

        When an FTP account is created in Plesk, it doesn't seem to create an account in the normal way. It appears to be some kind of alias. When I use id username I do not get username:username but instead the sub account and a Plesk defined group.

        What a mess. For me, that alone would be an argument not to use Plesk.

        Alexander

        --
        Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
[reply]

Back to Seekers of Perl Wisdom