[sllug-members]: HTTP Directory Permissions Best Practices
David Richardson
David.Richardson at utah.edu
Tue Sep 19 14:51:04 MDT 2006
On Tue, 19 Sep 2006, Jeff Schroeder wrote:
> Lamont wrote:
>
>> Mode 705 is unnecessary and not safe. Apache is started as root, but
>> drops all the root privileges that it no longer needs early in it's
>> startup. One of the things it does with the root privileges it
>> keeps, is get access to user's home directories under whatever
>> director is specified with the "UserDir" directive. So, Apache
>> doesn't need any special treatment to your home directories.
>
> Interesting. I don't see that behavior; if I chmod my /home/jeff
> directory to 700, Apache throws a 403 (access forbidden) error. I
> checked my UserDir settings but it's not obvious how to allow Apache to
> bypass 700 permissions.
Apache and file permissions is a complex subjet because there's actually a
couple different things going on: 1) Apache reading the actual file, and
2) Apache reading .htaccess files.
The first part is controlled only by the permissions on the file itself.
Apache has no magic abilities; if you want Apache to do something, the
user it runs as has to have sufficient permissions.
The second part is what trips people up. If AllowOverride is on, then
Apache looks for .htaccess files in the directory and its parents, all the
way up to / (or a directory with AllowOverride turned off). For Apache to
find and read the .htaccess file, the directories must all be executable.
Here's a real-life example:
davidr at sentinel-a:~> ls -ld ~
drwx-----x 53 davidr chpc 4096 Sep 19 14:10 /home/davidr/
davidr at sentinel-a:~> ls -ld ~/public_html
drwx-----x 18 davidr chpc 4096 Sep 2 18:14 /home/davidr/public_html/
davidr at sentinel-a:~> ls -l ~/public_html/index.html
-rw-r--r-- 1 davidr chpc 3656 Sep 10 2004 /home/davidr/public_html/index.html
(Has it really been two *years* since I last mucked with my site?)
Apache only needs read access to a directory if you are using mod_index to
give you directory listings.
The consequences of making my home directory world-executable are minimal:
people cannot list my files; they can't create or remove files. They can
"ls" a file *if* they already know its name. They can also read a file if
they know its name *and* if the file itself is also world-readable.
There's a longer discussion of this at
http://httpd.apache.org/docs/2.2/howto/htaccess.html. The URL says 2.2,
but it's been like this since the 1.3 days (7-8 years ago), on both Linux
and Solaris.
O'Reilly's "Essential System Administration" also has a good discussion on
directory permissions.
Dave
--
David Richardson <david.richardson at utah.edu>
"It can be scary meeting new people, especially when they
are the shock troops of a brutal alien civilization."
-- Penny Arcade
More information about the sllug-members
mailing list