Two problems related to linux security permission configuration that are easily overlooked

This article talks about two rights management problems that are easily overlooked and occasionally popped up, causing us trouble When configuring servers.

1. Too wide Permissions

Some services require a certain range of permissions. If it is small, it will not work if it is large. If the permission granted to this file is insufficient, it cannot be used. However, if the file has too many permissions, it cannot be used normally.

Example:

Problem: The test account cannot use the key to log on to an ssh server, but the test2 account on the same machine can log on.

View File Permissions:

Test @ client :~ $ Ls-l ~ /. Ssh/

-Rw ------- 1 testtest 16752010-03-2515: 15id_rsa

Check the public key and Private Key Permissions under the. ssh directory on the client and server. It can be seen that there is no problem.

The private key must have 600 permissions, and the public key must have at least 644 or more strict permissions. This is consistent, but logon is still unavailable.

Test @ server :~ $ Ls-la ~ Grep-w.ssh

Drwxr-xr-x2testtest4.0K12-2316: 59.ssh

Check the. ssh directory permission on the server, which is 755. The permission on the. ssh directory must be not writable by other users when using the key to log on.

At first, I was wondering why the test2 account can use the key to log on. The test account cannot use the key to log on, ssh_config and sshd_config.

After checking for multiple times, there is no problem. At last, we compared the two accounts on the server and found a suspicious location.

$ Ls-l/home/

Drwxrwxrwx 3test4096 2009-12-31 17: 31 test

Drwxr-xr-x 6 test2 test2 4096 2010-03-23 15: 59test2

The home directory permissions of two accounts are different. The test account is 777, And the test2 account is 755. Will it be caused by different permissions? After the test directory is modified to 755 on the server side, the problem is solved.

Cause:

Ssh server key-based logon requires strict permissions. For the client: the private key must have 600 or more strict permissions (400). Once other users are readable, the private key does not work (for example, 640), as the system considers that there is no private key.

For the server: the Public key is required and cannot be written by other users. Once another user can write (for example, 660), the user cannot log on with the key, as shown in Permission denied (publickey ).

At the same time, other users in the. ssh directory are not allowed to write data. Once another user can write data (such as 770), the key cannot be used for logon, as shown in Permission denied (publickey ).

Not only the. ssh directory, but the permission of the upper-level directory also affects.

The writable user directory in home, indicating that other users. the ssh sub-directory also has the rewrite permission (delete or re-command), which leads to ssh judgment. ssh is writable by other users, and key logon is not allowed.

2. centos

If you configure a service, but no matter how the configuration file is defined, some ports cannot be opened or the file cannot be accessed, you should be careful that selinux is playing tricks.

Example:

Problem: You are always prompted that you do not have the permission to access the directory configured on apache.

Configuration on apache:

Alias/hello.html/web/hello.html

<Directory/web>

Order deny, allow

Allow from all

</Directory>

There is no problem with how to check it, and the File Permission is also correct. In this case, you can check the selinux permission.

# Ls-Z/web/

-Rw-r --. root unconfined_u: object_r: admin_home_t: s0hello.html

The original/web directory cannot be accessed by users built in apache.

Cause:

By default, selinux limits the directories that apache can access. By default, files can only be read and written under/var/www. It is no wonder that configuring only apache and file permissions does not work.

To read files in the/web/directory, you must modify the selinux configuration.

In fact, not only are file permissions, including ports and message interfaces that can be used by services, but selinux has default restrictions. If you encounter an inexplicable Problem When configuring the service, take a look at centos.