[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Any chance for a tighter /etc/ structure?



Pat Riehecky <prieheck <at> iwu.edu> writes:
> about in apache tells me all sorts of things. Like in this user's home
> they have a .ht_passwords file with customer access rights.  A file that
> I can cat if I want and compromise their privacy.  A file I must be able
> to cat because of the apache permissions.  A file I would never have
> found if I hadn't been able to read the httpd.conf file.  The httpd.conf
> file that as a non-root user, I never have a reason to read.

Sure, the /etc permissions are more open than necessary, but here 
the .ht_passwords file's permissions are the actual problem. There are plenty 
of ways to make files readable to Apache without making them world-readable:
* use groups: make a group for each hosted site containing only the user(s) 
allowed to modify the site and apache, then chown the file theuser:thegroup and 
make it 640.
* use setfacl (requires filesystem support, ext3 supports it):
chmod 600 .ht_passwords
setfacl -m u:apache:r .ht_passwords

        Kevin Kofler


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]