Re: Apache and public_html directories
On Tue, 23 Feb 1999, Paul Miller wrote:
> > Is the file /home/mark/public_html readable by the user or group
> > that Apache runs as? I set the home directories of my users up to
> > have permissions of 710 and membership in the group that Apache runs
> > as ("wheel" on my main computer, "www-data" on every Debian
> > installation I've ever seen) and the public_html directory has
> > permissions of 775.
> > This means that Apache can get into everybody's public_html directory, but
> > no users can.
> This does not have to be set up this way. The permission on the users
> home directory should be a minimum of 701. The public_html directory the
> same. The files within the public_html directory need to be a minimum of
> 604.
I'm not sure what you're objecting to, but I definitely don't agree with
your conclusions. 701 gives everybody search access to the directory
which means that if a user happens to know or can guess the location of a
file farther down (like /home/<id>/public_html/index.html or, much worse,
a file ending in .htaccess) and that file happens to be world readable
(which 604 does) then that file can be read by anyone who has shell (few
people) or ftp (many people) access to my system. Not a good thing. By
giving the execute access to a privileged group to which the Web server
belongs, I have a system that is much more resistant to tampering.
Also please note that there is no effective difference between the 711 and
701 permissions or between the 644 and 604 permissions since the access
given to the group in the former cases is the same as that given to
everybody in the latter cases.
> I personally do not feel comfortable giving users membership in the
> wheel group as I have always believed it to be researved for those
> granted some super-user rights. With the above file permissions, you can
> leave home directories and such at the default group, or whatever
> grouping scheme you wish to use.
Why would I give users membership in the wheel group? Most of my staff
doesn't have membership in the wheel group! All I said was that the Web
server is running in the Wheel group. As I stated in my message, the
purpose of this particular configuration is to keep users out of each
other's directories, so putting them in a group that has any access to
anyone else's home directory (or setting the home directory so that
everyone has some access, as I explain above the two are equivalent) is a
bad idea.
On the contrary, if I put the home directories in a privileged group and
give that group only limited access to those directories then my users'
directories are as safe as I can make them without enforcing some kind of
permissions policy upon them. (One can never trust users to do the smart
thing.) The Web server can get in, but, since it doesn't have read
access, only if it knows the path it wants to reach, which is of course
public_html and the subdirectories underneath. If ordinary users don't
have any search permissions, it doesn't matter if they have privileges
underneath or not, they can't get to underneath. The superuser can get
in, but root can always get in. Preventing that requires rethinking the
concept of "root".
My question about the permissions on the files was only to verify that the
Web server had permission to read them. If that isn't the case, then it
will return the error that was given.
--
Jonathan Guthrie (jguthrie@brokersys.com)
Brokersys +281-895-8101 http://www.brokersys.com/
12703 Veterans Memorial #106, Houston, TX 77014, USA
Reply to: