Apache/httpd and permissions of user directories

Longman, Bill longman at sharplabs.com
Thu Oct 7 12:52:24 MDT 2004 

<snip>
> I also found the Apache 1.3 FAQ and this comment about permissions:
> <quote>
> You can determine which case applies to your situation by checking the
> error log.
> In the case where file system permission are at fault, remember that
> not only must the directory and files in question be readable, but
> also all parent directories must be at least searchable (i.e., chmod
> +x /directory/path) by the web server in order for the content to be
> accessible.
> </quote>
> 
> My concern & question:
> 
> How can I safely modify the parent directories to be searchable by
> user apache without allowing other users access to the contents of
> these parent directories (it's not a major concern but I'd rather
> learn how to do security properly). Is having these directories
> searchable a problem?

Eric, there's no problem with having directories with 755 permissions, in
most cases, even 775 permissions are valid in most cases, depending on the
group ownership. In your case, /home should be at least 111, /home/bob
should be at least 711, and /home/bob/html should be at least 751 with owner
bob and group apache.

Directory      Permission User Group
------------------------------------
/home          drwxr-xr-x root root
        gotta have      ^
/home/bob      drwxr-xr-x bob  bob
        gotta have      ^
/home/bob/html drwxr-x--x bob  apache
        gotta have ^ ^  ^      ^^^^^^

The permissions above are 755, 755 and 751. You'll need o+x on the entire
directory hierarchy in order for apache to even get there.

Some people squirm about having o+rx on home directories, but that's like
people's front porch. You ought to be able to go into bob's directory, but
not necessarily get into any of his directories unless he lets you. If you
are both working on a project together, you can have directories in your
homes and, if you're both members of the same group, give g+rwx permission
and you can then share files. If the files are just for that group, take
away all other access with o-rwx.

Caveat, searchable probably isn't an accurate term for directory
permissions. They are executable "x" meaning that you can at least travel
through it. They are readable, meaning that you are allowed to see the
entries for that directory (the file listing). Searchable, to me, sounds
like a mix of both read and execute permissions.

There's lots of other cool things you can do with setuid, setgid and sticky
bits when used with directories. For instance, if bob and alice are both
members of group "ipsec" and a directory is created with group ipsec and the
setgid turned on, all files created in that directory will belong to group
"ipsec", regardless of the group that bob and alice have as their default.

/usr/ipsec   drwxrsx--x  root ipsec

bob's profile usually has a group of "bob"
alice usually has a group of "alice"

/etc/group shows:
ipsec:x:512:bob,alice

Now, they can both use the /usr/ipsec directory and when files are created
there, they both have access to the files there without having to manually
change the group on the files. It is left as an exercise to the user to see
what effect this would have (chmod +t /usr/ipsec):

/usr/ipsec  drwxrsx--t  root ipsec

More information about the yellowdog-general mailing list