0

I am managing one machine that hosts an OTRS webserver. It has a normal user, 'otrs', which runs several periodic tasks and keeps (in 'otrs' home) the needed files for the service to work. And then there is the Apache user, which runs the webserver that makes the app work. The 'otrs' user is in the 'apache' group, so I can give write grants to 'apache' in some folders.

To add some functionality, I need to give 'apache' write grants in the 'otrs' home directory. But, if I do it, ssh won't connect with authorized keys, because it's a security risk. I've tried using ACL's to give 'apache' write grants on 'otrs' home but not in home/.ssh, but it won't work.

So, what can I do? I've thought of removing the 'otrs' user and doing everything as 'apache', or run the webserver daemon as 'otrs' user, but I don't know how to do any of these, or if they may carry some problems...

Do you have any option that I haven't thought of?

Juanma
  • 3
  • 1

2 Answers2

2

The problem is that even without write permission to .ssh, someone with write permissions to the home directory could move or unlink .ssh, then introduce their own .ssh with authorized keys in order to log in as otrs.

One solution would be to limit write permissions to some subdirectory of ~otrs. Another one would be to give ~otrs permissions of 1775 (the t-bit will prevent other users from unlinking or renaming .ssh), then set StrictModes to no in /etc/ssh/sshd_config. This may open up other accounts (with incorrect permissions) to attacks, but I assume that this is a dedicated machine, so that should not be a problem.

Ansgar Esztermann
  • 291
  • 2
  • 3
0

The 'otrs' account is basically a service or system account. The best way to fix this issue is in my opinion to not use the account for access over SSH. Create an account for yourself, 'juanma' or so, and configure sudo suaccess to the 'otrs' account. Now you can change user to the otrs account if needed.

MichielB
  • 591
  • 2
  • 6