[sllug-members]: HTTP Directory Permissions Best Practices

[Jeff Schroeder]

Lamont wrote:

> Mode 705 is unnecessary and not safe.  Apache is started as root, but
> drops all the root privileges that it no longer needs early in it's
> startup.  One of the things it does with the root privileges it
> keeps, is get access to user's home directories under whatever
> director is specified with the "UserDir" directive.  So, Apache
> doesn't need any special treatment to your home directories.

Interesting.  I don't see that behavior; if I chmod my /home/jeff 
directory to 700, Apache throws a 403 (access forbidden) error.  I 
checked my UserDir settings but it's not obvious how to allow Apache to 
bypass 700 permissions.

Can you give me an example of the proper UserDir settings to allow 
Apache to get past 700 on /home/*?  I'd prefer 700 to 705, but since 
the former doesn't work for me I've always used the latter.

> By using a mode other than 700 for home directories, they become open
> to anyone who is not in the group which owns the home directory, not
> just Apache.

That's acceptable in my setup because ALL users who have access to the 
server are in the "users" group and thus cannot see anything but their 
own home directory.  You're right that if you had people in lots of 
other groups, there would be a security problem.

> Not only is "777" writable by Apache, but it's writable by everyone.

Agreed, but since the users can't access any sub-directories in other 
users' areas (see above), it's secure against unauthorized access.

As I said, this works for me.  As you said, there's always "just one 
more thing" that could be done to tighten the bolts a bit. :)

Thanks,
Jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://sllug.org/pipermail/sllug-members/attachments/20060919/bb7e670c/attachment.pgp