Date: Sat, 25 Dec 1999 18:31:24 +1300 From: "Dan Langille" <dan@freebsddiary.org> To: freebsd-isp@FreeBSD.ORG Subject: Apache / FrontPage file permissions Message-ID: <199912250531.SAA63592@ducky.nz.freebsd.org>
next in thread | raw e-mail | index | archive | help
One of the issues associated with Front Page extensions is the file permissions for files within the web. If you don't allow shell access to your web server, this isn't an issue, but if you do, please read on. I've come up with what I think is a feasible solution and I seek comment from those who have already gone down this path. TIA. Files such as these contain information which can be used to gain access to a box: /path.to.web/_vti_pvt/service.pwd /path.to.web/_vti_pvt/service.grp In particular, service.pwd contains an encrypted password, which if obtained could passed to a cracker program. I've concluded that such files should be non-world readable. So all of my virtual websites are chown <userid>:<webservergroup> so that the user owns everything, but the webserver can access the files. In general, most files will be either 640 or 750 as necessary. I've tested this out and it seems to work fine. The only outstanding issue is the education of shell users that files should not be world readable. But users being users (not to mention some admins), I think a script to search for world readable files within the web server file space is a good idea. It would run daily and report on such files. I've been given such a script but haven't tried it out yet. -- Dan Langille - DVL Software Limited [I'm looking for more work] The FreeBSD Diary - http://www.freebsddiary.org/freebsd/ NZ FreeBSD User Group - http://www.nzfug.nz.freebsd.org/ The Racing System - http://www.racingsystem.com/racingsystem.htm unix @ home - http://www.unixathome.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912250531.SAA63592>