It's the little things that make server config great

admin's picture

It's the smallest details that make for a good server config, like folder permissions. We setup files and folders with the right permissions to avoid latent problems. For example, on one of our dev VMs:

Stick bits

The web user originates files by SSH or Samba that the web server will later access, through its www-data group. When creating those files, through whatever mechanism, they need to be given the right permissions. 640 on the files (web user r/w, web server r, all -) and 750 on the folders (

Devopera VMs use ACL and the stickybit to ensure that:

  • if you create a directory, it's given 2750
  • if you create a file, it's given 0640
  • whatever you create, it's user web, group www-data

Now that's a really small thing, but if it weren't like this, you might end up with execute bits on some files (from a chmod 750 -R *), which makes then slightly more vulnerable to an exploit. If your files are part of a version controlled working copy, then those pesky exec bits might find their way into the VCS (like git/github.com). Once they're there, any time that repo is checked out/cloned, those files get those exec bits, which means all the servers that deploy that repo are now affected.

This is one of the reasons why we concentrate on making sure dev VMs are as close to live server setup as possible, so that you're originating deployable apps without any niggles that might hamper their smooth running in a live environment, one that we're also happy to build for you, but that's another story.

Session timeouts on production servers

CSF/LFD alerts if you leave a terminal logged into a production server. It's a nice feature that's useful for catching long-running processes that shouldn't be long-running. Unfortunately it means that if a developer legitimately logs into the server and leaves themselves logged in, but idle, that sysadmin gets nagged by email. Because the developer's SSH client might have keep-alive pings, sshd doesn't timeout the session, however you can configure bash (the shell) to watch for periods of sustained inactivity and terminate the session after, say, 5 minutes.

Recent Articles

published 2 years 6 months ago

Site

Follow Us

Twitter icon
Facebook icon
LinkedIn icon
SlideShare icon
YouTube icon
RSS icon