httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject Re: proxy logging ftp password
Date Sun, 07 Sep 1997 19:22:30 GMT
On Sun, 7 Sep 1997, Philip A. Prindeville wrote:

> 	Date: Sun, 7 Sep 1997 04:24:59 -0600 (MDT)
> 	From: Marc Slemko <>
> 	To:
> 	Subject: Re: proxy logging ftp password
> 	No they aren't.  They are owned and only need be writable by the user
> 	that starts Apache, normally root.
> 	In any case, the fact remains that on most systems they are world
> 	readable.
> Right, but on most systems, the directory they are in is also owned
> by Apache, so the process could easily do a chmod() on them and make
> them readable as well.

No it is not.  They should not and must not be.  If they are like that on
your system, then your system is broken. 

First of, just because you own a directory doesn't mean you can chown the
files in it.  Secondly, if the directory is writable by the user Apache
runs as, you just gave away root on your system.

Nothing should be owned by or writable by the user Apache runs as unless
it is unavoidable.

View raw message