[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Users deleting public_html and log causing Apache to fail startup

On Fri, Jul 05, 2002 at 11:38:53AM +1000, Jason Lim wrote:
> > But won't "rmdir ." succeed if they are in the public_html directory?
> I was just thinking about (using your examples) making the htdocs and
> cgi-bin directories immutable (+i). However, I am not very familiar with
> using those "flags" so Im not certain as to what consequences that would
> have... making it immutable means that the directory won't be able to be
> deleted, but files CAN be added/deleted within the immutable directory
> directory, right?

I think the +t sticky bit is what you want. From the chmod man page;

       When the sticky bit is set on a directory, files in that
       directory may only be unlinked or renamed by root or their
       owner.  (Without the sticky bit, anyone able to write to
       the  directory can delete or rename files.) ...

Given this, I would suggest something like this for an example user "abo";

minkirri:~$ dl
total 2
drwxrws--t    4 root     abo            81 Jul  5 13:13 ./
drwxrwsrwx    6 root     root          458 Jul  5 13:17 ../
drwxr-s---    2 root     abo            35 Jul  5 13:13 log/
drwxrwsr-x    2 root     abo            35 Jul  5 13:13 public_html/

Note that ~ only allows "other" execute access. This allows apache to access
and serve ~/public_html, but no "other"s can list ~. The +t setting means
files in this directory can only be deleted/renamed by their owners. The g+s
settings are there to ensure files in these directories are group abo.

Note that ~, ~/log, and ~/public_html are root:abo. The group abo has
read/write access to ~/public_html, but because abo doesn't own it he can't
remove it. The group abo has only read access to ~/log and can't remove it

ABO: finger abo@minkirri.apana.org.au for more info, including pgp key

To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: