Re: Any chance for a tighter /etc/ structure?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Donnerstag, den 31.07.2008, 15:04 +0000 schrieb Kevin Kofler:
> Pat Riehecky <prieheck <at> iwu.edu> writes:
> > about in apache tells me all sorts of things. Like in this user's home
> > they have a .ht_passwords file with customer access rights.  A file that
> > I can cat if I want and compromise their privacy.  A file I must be able
> > to cat because of the apache permissions.  A file I would never have
> > found if I hadn't been able to read the httpd.conf file.  The httpd.conf
> > file that as a non-root user, I never have a reason to read.
> 
> Sure, the /etc permissions are more open than necessary, but here 
> the .ht_passwords file's permissions are the actual problem. There are plenty 
> of ways to make files readable to Apache without making them world-readable:
> * use groups: make a group for each hosted site containing only the user(s) 
> allowed to modify the site and apache, then chown the file theuser:thegroup and 
> make it 640.
> * use setfacl (requires filesystem support, ext3 supports it):
> chmod 600 .ht_passwords
> setfacl -m u:apache:r .ht_passwords
> 
>         Kevin Kofler

But any user who can run scripts on the server as the apache user can
still read the files.. unless you only use php, and you try to prevent
it with safe mode or similar.

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux