Guest69312 | Hello all. I noticed that my user dir is r-x for other users. 1) is this normal? 2) Would it be a problem if a lock it down a bit better and remove rights so that stuff like apache and whatnot can't read my user dir if it gets exploited? | 12:07 |
---|---|---|
rm | it is normal. yes you can lock down it with no problems | 12:11 |
iv4nshm4k0v | Guest69312: With mod_userdir enabled, Apache will map URIs like http://example.com/~username to ~username/public_html, so if you need them to work, you may need to give access to your home directory to other users. Similarly, on multiuser hosts, users sometimes put under their home files for others to use. | 12:25 |
Guest69312 | iv4nshm4k0v, neither applies to me so like rm says, I'll just go ahead and lock it downsome more. Thank you both for the answers. | 12:27 |
iv4nshm4k0v | My own preference is to have /two/ "home" directories per user: /home/private/users/USERNAME (accessible only to the user) and /home/public/users/USERNAME (a+rx.) | 12:27 |
iv4nshm4k0v | In particular, my Apache is configured to map ~USERNAME to the latter. Though it's possible to also use chacl(1) to allow only specific users (such as www-data) to access (+x; but not read the contents, -r, if only access to public_html is needed) one's $HOME. | 12:30 |
GyrosGeier | Apache only needs +x, not +r on the home | 12:32 |
GyrosGeier | +r alone doesn't even help | 12:32 |
GyrosGeier | +x allows chdir(), +r allows getents() | 12:33 |
Guest69312 | Yeah I noticed that by removing the r and keeping x I could still go to my desktop folder while logged in as another user. | 12:33 |
GyrosGeier | since the name of "public_html" is known, it doesn't need to read the contents, it can just pass through | 12:33 |
GyrosGeier | basically, +x allows entering, and for any directory below, the permissions on that directory count | 12:34 |
GyrosGeier | so public_html needs +rx if you use Option Indexes, otherwise +x is sufficient | 12:35 |
GyrosGeier | and the o+x is sufficient for going to any directory whose name you can guess | 12:35 |
steve31 | ITM | 19:42 |
* steve31 looks around | 19:45 | |
linearain | people in the 70s were probably making similar compromises. But simplicity is genius, and it takes a genius to understand unix, or so they say | 19:47 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!