Any chance for a tighter /etc/ structure?
Kevin Kofler
kevin.kofler at chello.at
Thu Jul 31 15:04:40 UTC 2008
Pat Riehecky <prieheck <at> iwu.edu> writes:
> about in apache tells me all sorts of things. Like in this user's home
> they have a .ht_passwords file with customer access rights. A file that
> I can cat if I want and compromise their privacy. A file I must be able
> to cat because of the apache permissions. A file I would never have
> found if I hadn't been able to read the httpd.conf file. The httpd.conf
> file that as a non-root user, I never have a reason to read.
Sure, the /etc permissions are more open than necessary, but here
the .ht_passwords file's permissions are the actual problem. There are plenty
of ways to make files readable to Apache without making them world-readable:
* use groups: make a group for each hosted site containing only the user(s)
allowed to modify the site and apache, then chown the file theuser:thegroup and
make it 640.
* use setfacl (requires filesystem support, ext3 supports it):
chmod 600 .ht_passwords
setfacl -m u:apache:r .ht_passwords
Kevin Kofler
More information about the devel
mailing list