Received: (from majordom@localhost) by hyperreal.org (8.8.5/8.8.5) id MAA27606; Sun, 7 Sep 1997 12:22:43 -0700 (PDT) Received: from valis.worldgate.com (marcs@valis.worldgate.com [198.161.84.2]) by hyperreal.org (8.8.5/8.8.5) with ESMTP id MAA27601 for ; Sun, 7 Sep 1997 12:22:39 -0700 (PDT) Received: from localhost (marcs@localhost) by valis.worldgate.com (8.8.7/8.8.7) with SMTP id NAA16011 for ; Sun, 7 Sep 1997 13:22:30 -0600 (MDT) Date: Sun, 7 Sep 1997 13:22:30 -0600 (MDT) From: Marc Slemko To: new-httpd@apache.org Subject: Re: proxy logging ftp password In-Reply-To: <199709071915.MAA25326@enteka.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: new-httpd-owner@apache.org Precedence: bulk Reply-To: new-httpd@apache.org On Sun, 7 Sep 1997, Philip A. Prindeville wrote: > Date: Sun, 7 Sep 1997 04:24:59 -0600 (MDT) > From: Marc Slemko > To: new-httpd@apache.org > Subject: Re: proxy logging ftp password > > No they aren't. They are owned and only need be writable by the user > that starts Apache, normally root. > > In any case, the fact remains that on most systems they are world > readable. > > Right, but on most systems, the directory they are in is also owned > by Apache, so the process could easily do a chmod() on them and make > them readable as well. No it is not. They should not and must not be. If they are like that on your system, then your system is broken. First of, just because you own a directory doesn't mean you can chown the files in it. Secondly, if the directory is writable by the user Apache runs as, you just gave away root on your system. Nothing should be owned by or writable by the user Apache runs as unless it is unavoidable.