Re: Users, groups, rights and apache please advice
On Wed, Oct 08, 2003 at 11:50:01AM +0200, Ron Rademaker wrote:
> I got the following situation:
> A server (debian stable) running a number of domains
> For each domain I've create a group, and everybody that has
> something to do with this domain is in that group
> I want everybody in the group to be able to change the website of
> that domain, and everybody who's not in that group shouldn't even be
> able to read the files (because of plain text database passwords that
> can often be found in files like db.php)
> So I use a umask of 007, everything looks good so far
> However Apache doesn't quite like it, Apache can't read the files
> (obviously) and the Group directive works only for CGI :-( (within a
Another solution would be to use ACL (access control lists).
That way you can give www-data read-only access to the
files, but anyone in the group can write to the files.
That way, if anybody compromises apache, the most an attacker
could do is read any web file, but not write to them.
Brian May <firstname.lastname@example.org>