Any chance for a tighter /etc/ structure?
nodata
lsof at nodata.co.uk
Thu Jul 31 16:10:02 UTC 2008
Am Donnerstag, den 31.07.2008, 15:04 +0000 schrieb Kevin Kofler:
> Pat Riehecky <prieheck <at> iwu.edu> writes:
> > about in apache tells me all sorts of things. Like in this user's home
> > they have a .ht_passwords file with customer access rights. A file that
> > I can cat if I want and compromise their privacy. A file I must be able
> > to cat because of the apache permissions. A file I would never have
> > found if I hadn't been able to read the httpd.conf file. The httpd.conf
> > file that as a non-root user, I never have a reason to read.
>
> Sure, the /etc permissions are more open than necessary, but here
> the .ht_passwords file's permissions are the actual problem. There are plenty
> of ways to make files readable to Apache without making them world-readable:
> * use groups: make a group for each hosted site containing only the user(s)
> allowed to modify the site and apache, then chown the file theuser:thegroup and
> make it 640.
> * use setfacl (requires filesystem support, ext3 supports it):
> chmod 600 .ht_passwords
> setfacl -m u:apache:r .ht_passwords
>
> Kevin Kofler
But any user who can run scripts on the server as the apache user can
still read the files.. unless you only use php, and you try to prevent
it with safe mode or similar.
More information about the fedora-devel-list
mailing list