Am Donnerstag, den 31.07.2008, 15:04 +0000 schrieb Kevin Kofler: > Pat Riehecky <prieheck <at> iwu.edu> writes: > > about in apache tells me all sorts of things. Like in this user's home > > they have a .ht_passwords file with customer access rights. A file that > > I can cat if I want and compromise their privacy. A file I must be able > > to cat because of the apache permissions. A file I would never have > > found if I hadn't been able to read the httpd.conf file. The httpd.conf > > file that as a non-root user, I never have a reason to read. > > Sure, the /etc permissions are more open than necessary, but here > the .ht_passwords file's permissions are the actual problem. There are plenty > of ways to make files readable to Apache without making them world-readable: > * use groups: make a group for each hosted site containing only the user(s) > allowed to modify the site and apache, then chown the file theuser:thegroup and > make it 640. > * use setfacl (requires filesystem support, ext3 supports it): > chmod 600 .ht_passwords > setfacl -m u:apache:r .ht_passwords > > Kevin Kofler But any user who can run scripts on the server as the apache user can still read the files.. unless you only use php, and you try to prevent it with safe mode or similar. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
