Parallels H-Sphere Documentation System Administrator Guide

 

Preventing Manipulation with Logs Directory Permissions

(H-Sphere 2.5 Patch 8 and up)
 

Last modified: 27 Dec 2007

 

WARNING: This documentation covers Parallels H-Sphere versions up to 3.1. For the latest up-to-date Parallels H-Sphere documentation, please proceed to the official Parallels site.

The security scheme prevents untrusted users from manipulating logs directory and prohibits users other than httpd from entering user directory. The example of the permissions and groups associated with the directories in the new security scheme since H-Sphere 2.5 Patch 11 and 3.0 Patch 2 is as follows:

d---rwx--t 3 root january 4096 Dec 8 20:32 january

where:
d---rwx--t - permissions with a sticky bit that prevents users from making any changes to logs directory
root - owner of the directory (should not coincide with the user name)
january - directory name
4096 - size in bytes
Dec 8 20:32 - date of last modification
january - user home directory name

Use logslock utility to put/remove immutable flag from the ~userhome/logs directory:

logslock -h

Usage: /hsphere/shared/bin/logslock [ -p directory ] [ -u directory ] [-s] [-a]
p : set sticky bit on home directory
u : unset sticky bit from home directory
a : unset sticky bit from home directories of H-Sphere users
s : set sticky bit on home directories of H-Sphere users

Note: above mentioned permission settings for user home directory may cause user access denial via ssh if public key authentication is used. To avoid the problem, you can disable strict sshd mode by editing sshd_config file and restarting sshd daemon (/etc/ssh/sshd_config file on Linux).



© Copyright 2017. Parallels Holdings. All rights reserved.