Date: Thu, 21 May 2015 13:37:43 +0200 From: Polytropon <freebsd@edvax.de> To: Jeffry Killen <jekillen@prodigy.net> Cc: freebsd-questions@freebsd.org Subject: Re: One more issue Message-ID: <20150521133743.2d088239.freebsd@edvax.de> In-Reply-To: <8C9A2CF4-BAC6-4228-9EE1-ADE6186E733B@prodigy.net> References: <8C9A2CF4-BAC6-4228-9EE1-ADE6186E733B@prodigy.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 20 May 2015 22:42:43 -0700, Jeffry Killen wrote: > I installed apache24 from ports. > > added the requisite line to rc.conf to start apache on boot. > > I ran servic apache24 start to start the server. > > from another machine I established an ftp connection to the > doc root and attempted to edit the default index.html page. > > The ftp client informed me I couldn't edit the page, and I realized > that the ownership of the doc root needed to be changed to ftp > user. No, that sounds wrong. The user "ftp" is the anonymous (!) FTP user (the one without a name and a password). You probably don't want to give that user access to document files. Do you have ftpd (FreeBSD's FTP server) running, or do you use something different? See the file /etc/ftpusers - it contains those _not_ allowed to run FTP connections: "root" and "ftp" commonly are the two top entries. Make sure that they are there, if you have to use FTP. Which means: Using FTP today is a bad idea, no matter what "reason" you might mention... :-) > SO, via ssh I attempted to login via su and the root password > was refused. The users which are allowed to "su root" have to be member of the "wheel" group. Check /etc/group for the relevant entries. Use "pw groupmod" to add the user, if required. > I went to the monitor attached to the server and attempted to log in > as root. I kept getting refusals. SSH logins for root are usually disallowed. There's an option named "PermitRootLogin yes" in /etc/ssh/sshd_config which can be set. However, it's encouraged not to do this, and instead to use a normal user login + wheel group + su. Also have a look at the "sudo" and "super" tools, available via ports. > I ended up having to dig up how to boot into single user mode to > change root password. That I did. Now I can log in as root or > su as usual. This indicates a password mismatch rather than a "normal" permission problem. > The point is that I did not fool around with the password file. > Something else altered or corrupted it. Hopefully I don't now > have a root kit hanging around. That's worth checking. It's also good to have backups of the relevant files and the databases generated from them. > I am conderned about having to be connected to the internet > so ports can fetch anything it sees fit. (this is why I had avoided > using ports in the past). That's no big deal, and no big difference between ports and packages. Make sure you read about system security, and also make sure you have a firewall in place, just in case. Also know about your log files, for example /var/log/auth.log. In case you're running a FTP server, use /var/log/ftpd.log. > What services do I have to allow to and from the internet that > are secure with respect to hosts.allow and tcpwrappers, for the sake > of ports? Ports are usually obtained with the "fetch" program, using FTP or HTTP, depending on how the port's distfiles are being provided. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150521133743.2d088239.freebsd>