Hello, I’m a relative newbie to linux administration and I have a security question. I have a small inter-office webserver that some, not all, of my users need write privileges to the /www/htdocs and /www/cgi-bin directories. I am thinking of changing the group ownerships to ‘www’, adding write permissions, then assigning those end users to this group. Are there any security (or other) concerns to doing things this way? There is a distinct possibility that this server will eventually ‘go live’.
www is already the group id of Apache. It would be slightly better to create a new group for this, say webcontent, and assign the users who will upload to this group, then proceed per your plan. BTW do you really need to give them access to cgi-bin? Normally there are only a small number of cgi-bin scripts that need to be installed and thereafter access can be closed off.
The end users in question are software developers and I assumed they needed access to cgi-bin. On discussion with them it turns out that they don’t so I’m going to create a new group that doesn’t have that privilege (as well as removing it from the WWW group).