[sllug-members]: HTTP Directory Permissions Best Practices

Lamont R. Peterson lamont at gurulabs.com
Tue Sep 19 14:15:41 MDT 2006 

On Tuesday 19 September 2006 01:48pm, Jeff Schroeder wrote:
[snip]
> Interesting.  I don't see that behavior; if I chmod my /home/jeff
> directory to 700, Apache throws a 403 (access forbidden) error.  I
> checked my UserDir settings but it's not obvious how to allow Apache to
> bypass 700 permissions.

What distribution are you using?

It just works for me with the out-of-the-box builds of Apache on both Red Hat 
and SUSE distros.

BTW, for the scenarios I described in my earlier reply to this thread, I am 
rarely using UserDir.  Instead, those web directories are under /var/www/ 
or /srv/www/ or some such.

> Can you give me an example of the proper UserDir settings to allow
> Apache to get past 700 on /home/*?  I'd prefer 700 to 705, but since
> the former doesn't work for me I've always used the latter.
>
> > By using a mode other than 700 for home directories, they become open
> > to anyone who is not in the group which owns the home directory, not
> > just Apache.
>
> That's acceptable in my setup because ALL users who have access to the
> server are in the "users" group and thus cannot see anything but their
> own home directory.  You're right that if you had people in lots of
> other groups, there would be a security problem.

Yup.  Always a matter of balancing risks.

> > Not only is "777" writable by Apache, but it's writable by everyone.
>
> Agreed, but since the users can't access any sub-directories in other
> users' areas (see above), it's secure against unauthorized access.

Until something else is changed without keeping something like this in mind or 
by someone else who doesn't know or doesn't understand.  Of course, if you're 
the only one on the server (administering it), it isn't likely to happen so 
it's not a big deal.

> As I said, this works for me.  As you said, there's always "just one
> more thing" that could be done to tighten the bolts a bit. :)

Yup.
-- 
Lamont R. Peterson <lamont at gurulabs.com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]

NOTE:  All messages from this email address should be digitally signed with my
       0xDC0DD409 GPG key. It is available on the pgp.mit.edu keyserver as
       well as other keyservers that sync with MIT's.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://sllug.org/pipermail/sllug-members/attachments/20060919/81230811/attachment.pgp

More information about the sllug-members mailing list