[sllug-members]: HTTP Directory Permissions Best Practices
Lamont R. Peterson
lamont at gurulabs.com
Wed Sep 20 11:54:07 MDT 2006
On Wednesday 20 September 2006 11:00am, Jeff Schroeder wrote:
> Andrew asked:
> > If a user is a member of a file's group that has
> > no group permissions, but the file has wide open "other" access,
> > should the user be able to access the file?
>
> Not at all. The permissions are user+group+world, and "world" means
> "not in this group". In other words, if I'm user "jeff" in group
> "users", and my directory is chmod 705, then I can see it and write to
> it (I have rwx permission), and anyone NOT in the "users" group can see
> it (with r-x permission). In the example I gave, Apache is in the
> "nobody" group
Careful there. The way you phrased that makes it sound like just because
Apache is in another group besides "users" you are saying that just because
Apache does not have "users" as it's default primary group that everything is
good. I know that's not what you were trying to say, but my first pass
reading this gave me that impression and I had to read it a second time to
make sure.
What I think would make this less ambiguous, would be to say, "Apache is not
in the "users" group so it can see the web files."
> so it can see the web files. No other users (who are
> all in the "users" group) can see them.
But this also means that *any* account that is not a member of the "users"
group can get into your home directory and see everything. This includes any
FTP server, mail server, or any other process that runs under a "system"
account, which is just about every single networked service you have. That's
the main reason why I don't like this approach.
--
Lamont R. Peterson <lamont at gurulabs.com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
NOTE: All messages from this email address should be digitally signed with my
0xDC0DD409 GPG key. It is available on the pgp.mit.edu keyserver as
well as other keyservers that sync with MIT's.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://sllug.org/pipermail/sllug-members/attachments/20060920/ce208c9c/attachment-0001.pgp
More information about the sllug-members
mailing list