RE: Users, groups, rights and apache please advice
I've already used the other solution (make www-data member of the
groups) and it works fine (I want www-data to be able to write in some
situations).
BTW I just noticed I've send this mail to debian-devel, I meant to send
it to debian-user, my apologies to anyone who felt the least bit annoyed
by yet another user who doesn't know where to go for help.
-----Original Message-----
From: Brian May [mailto:bam@debian.org]
Sent: 09 October 2003 03:21
To: Ron Rademaker
Cc: debian-devel@lists.debian.org
Subject: Re: Users, groups, rights and apache please advice
On Wed, Oct 08, 2003 at 11:50:01AM +0200, Ron Rademaker wrote:
> I got the following situation:
> A server (debian stable) running a number of domains
> For each domain I've create a group, and everybody that has
> something to do with this domain is in that group
> I want everybody in the group to be able to change the website of
> that domain, and everybody who's not in that group shouldn't even be
> able to read the files (because of plain text database passwords that
> can often be found in files like db.php)
> So I use a umask of 007, everything looks good so far
> However Apache doesn't quite like it, Apache can't read the files
> (obviously) and the Group directive works only for CGI :-( (within a
> virtualhost)
Another solution would be to use ACL (access control lists).
That way you can give www-data read-only access to the
files, but anyone in the group can write to the files.
That way, if anybody compromises apache, the most an attacker could do
is read any web file, but not write to them.
--
Brian May <bam@debian.org>
Reply to: