From owner-freebsd-questions@FreeBSD.ORG Thu May 21 11:37:47 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B423C97C for ; Thu, 21 May 2015 11:37:47 +0000 (UTC) Received: from mx01.qsc.de (mx01.qsc.de [213.148.129.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5D7111E96 for ; Thu, 21 May 2015 11:37:47 +0000 (UTC) Received: from r56.edvax.de (port-92-195-181-19.dynamic.qsc.de [92.195.181.19]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx01.qsc.de (Postfix) with ESMTPS id 58A693CE7B; Thu, 21 May 2015 13:37:44 +0200 (CEST) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id t4LBbhvp002100; Thu, 21 May 2015 13:37:43 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Thu, 21 May 2015 13:37:43 +0200 From: Polytropon To: Jeffry Killen Cc: freebsd-questions@freebsd.org Subject: Re: One more issue Message-Id: <20150521133743.2d088239.freebsd@edvax.de> In-Reply-To: <8C9A2CF4-BAC6-4228-9EE1-ADE6186E733B@prodigy.net> References: <8C9A2CF4-BAC6-4228-9EE1-ADE6186E733B@prodigy.net> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2015 11:37:47 -0000 On Wed, 20 May 2015 22:42:43 -0700, Jeffry Killen wrote: > I installed apache24 from ports. > > added the requisite line to rc.conf to start apache on boot. > > I ran servic apache24 start to start the server. > > from another machine I established an ftp connection to the > doc root and attempted to edit the default index.html page. > > The ftp client informed me I couldn't edit the page, and I realized > that the ownership of the doc root needed to be changed to ftp > user. No, that sounds wrong. The user "ftp" is the anonymous (!) FTP user (the one without a name and a password). You probably don't want to give that user access to document files. Do you have ftpd (FreeBSD's FTP server) running, or do you use something different? See the file /etc/ftpusers - it contains those _not_ allowed to run FTP connections: "root" and "ftp" commonly are the two top entries. Make sure that they are there, if you have to use FTP. Which means: Using FTP today is a bad idea, no matter what "reason" you might mention... :-) > SO, via ssh I attempted to login via su and the root password > was refused. The users which are allowed to "su root" have to be member of the "wheel" group. Check /etc/group for the relevant entries. Use "pw groupmod" to add the user, if required. > I went to the monitor attached to the server and attempted to log in > as root. I kept getting refusals. SSH logins for root are usually disallowed. There's an option named "PermitRootLogin yes" in /etc/ssh/sshd_config which can be set. However, it's encouraged not to do this, and instead to use a normal user login + wheel group + su. Also have a look at the "sudo" and "super" tools, available via ports. > I ended up having to dig up how to boot into single user mode to > change root password. That I did. Now I can log in as root or > su as usual. This indicates a password mismatch rather than a "normal" permission problem. > The point is that I did not fool around with the password file. > Something else altered or corrupted it. Hopefully I don't now > have a root kit hanging around. That's worth checking. It's also good to have backups of the relevant files and the databases generated from them. > I am conderned about having to be connected to the internet > so ports can fetch anything it sees fit. (this is why I had avoided > using ports in the past). That's no big deal, and no big difference between ports and packages. Make sure you read about system security, and also make sure you have a firewall in place, just in case. Also know about your log files, for example /var/log/auth.log. In case you're running a FTP server, use /var/log/ftpd.log. > What services do I have to allow to and from the internet that > are secure with respect to hosts.allow and tcpwrappers, for the sake > of ports? Ports are usually obtained with the "fetch" program, using FTP or HTTP, depending on how the port's distfiles are being provided. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...