httpd newbie / access denied, no permission to ~userid

Paul Howarth paul at city-fan.org
Wed Aug 17 14:08:55 UTC 2005


Tim wrote:
> Tim:
> 
> 
>>>Owner permissions are one thing.  But setting something as world
>>>readable ought to be treated just as you intended.
> 
> 
> 
> Paul Howarth wrote:
> 
> 
>>You could take this argument further: any file with "world readable" 
>>permissions should automatically be readable via the local web server 
>>(an entry in httpd.conf should be made to allow it). After all, it's 
>>world readable. Does that make sense?
> 
> 
> Yes, and that was precisely the point I was arguing.  I'd made a file's
> permissions so that it was available to everybody, so it should be...

So running "chmod a+r /path/to/filename" should automatically cause an 
edit of httpd.conf so that /path/to/filename is available by http for 
all to read? I thought I chose a particularly outrageous example but 
apparently not.

Making a file's permissions world-readable *does* make it available to 
everybody, i.e. all users equally. However, SELinux (at least for the 
targeted policy) imposes restrictions on what *processes* (not *users*) 
can do. This is how it should be IMHO.

How about another example. Suppose you're running samba. You can specify 
in samba that individual shares are available only to certain users. So 
if /path/to/filename is accessible via such a share, then even though it 
may be world-readable on the samba server itself, only the specified 
list of users can access it via samba. This is a layering of access 
rights, with the samba restrictions sitting on top of the Unix 
permissions. Only if both say "OK" is access granted. SELinux works in a 
similar fashion, layering an additional set of restrictions on top of 
the Unix permissions. The two are completely separate and should not 
affect each other. Removing one set of restrictions should not result in 
the removal of all other sets.

Paul.




More information about the fedora-list mailing list