Pat Riehecky <prieheck <at> iwu.edu> writes:
> about in apache tells me all sorts of things. Like in this user's home
> they have a .ht_passwords file with customer access rights. A file that
> I can cat if I want and compromise their privacy. A file I must be able
> to cat because of the apache permissions. A file I would never have
> found if I hadn't been able to read the httpd.conf file. The httpd.conf
> file that as a non-root user, I never have a reason to read.
Sure, the /etc permissions are more open than necessary, but here
the .ht_passwords file's permissions are the actual problem. There are plenty
of ways to make files readable to Apache without making them world-readable:
* use groups: make a group for each hosted site containing only the user(s)
allowed to modify the site and apache, then chown the file theuser:thegroup and
make it 640.
* use setfacl (requires filesystem support, ext3 supports it):
chmod 600 .ht_passwords
setfacl -m u:apache:r .ht_passwords
Kevin Kofler
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
