[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: exploring debian's users and groups

On Sun, 03 Feb 2002, Norbert Veber wrote:
> On Sun, Feb 03, 2002 at 11:29:07PM +0100, Manfred Wassmann wrote:
> > Norbert Veber <nveber@debian.org> writes:
> > 
> > [...]
> > 
> > > or that no file must be owned by [...] "www-data", 
> > 
> > No way.  If apache runs as www-data and you are using things like
> > mod_dav (WebDAV), then apache must have full access to any html

That is extremely stupid a thing to do, which one must do only on risk of
their own neck.

You DO understand that Debian policy dictates only what Debian packages will
do, and that the user can cheerfully hang his neck and chgrp everything to
www-data, don't you?

> > documents an directories to be maintained via WebDAV.  Ie they *must*
> > be owned by www-data.

Then don't use WebDAV. Or teach it to use suid wrappers that autenticate the
user and enforce proper filestystem permissions -- at least now you have one
security layer to defeat before destroying other people's work.

> Be that as it may, I was talking in the context of debian packages.  Ie.
> they shouldnt provide any files owned by www-data, what the
> administrator does after that is his problem :)


  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to: