Re: [users@httpd] Trying to access directory index outside doc root

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 7 Apr 2005, Kevin Old wrote:

> On Apr 7, 2005 9:35 AM, Kevin Old <kevinold@xxxxxxxxx> wrote:
> > On Apr 6, 2005 1:51 PM, Robert Zagarello <bzag0@xxxxxxxxx> wrote:
> > >
> > > Kevin,
> > >
> > > My apache config file shows the realname enclosed in
> > > quotes with a terminating slash in the Alias
> > > directive, so try:
> > >
> > > Alias /excessinvarch/ "/home/kdo/working/excessinv/"
> > >
> > 
> > Thanks for your help.  I think that the problem is file system
> > permissions.  My Apache processes are running as user and group
> > "apache", but the data under /home/kdo/working/excessinv is (of
> > course) owned by user "kdo".
> > 
> > One "fix" is to set all the permissions on my directories under
> > /home/kdo to 777.  It's insecure though.  Isn't there a way to tell
> > apache who own's a certain directory?  Maybe with the user and group
> > commands in a <Directory> block?
> > 
> > Any help is appreciated!
> > Kevin
> > --
> > Kevin Old
> > kevinold@xxxxxxxxx
> > 
> 
> One final note, the error I'm getting when trying to access the alias
> is a 403 Forbidden.
> 
> 

There is no way for apache to use any user or group statements in
httpd.conf to read files for which its user has no permissions in the
filesystem.  You may start Apache as root, but it immediately switches to
the defined user once the tasks needing root privileges are done, which is
usually just opening the privileged port 80.  My understanding is that it
does not retain any root privileges after that, so buffer overruns and
similar exploits don't give root access.  Your best bet is to change the
group on the required directory to 'apache', then allow group read/execute
on the directory (sudo chgrp -r apache /home/kdo; sudo chmod -R g+X
/home/kdo;  sudo chmod -R g+r /home/kdo/working/excessinv).

-- 
Craig Dunigan



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux