httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig Dunigan <cduni...@doit.wisc.edu>
Subject Re: [users@httpd] Trying to access directory index outside doc root
Date Thu, 07 Apr 2005 13:50:09 GMT
On Thu, 7 Apr 2005, Kevin Old wrote:

> On Apr 7, 2005 9:35 AM, Kevin Old <kevinold@gmail.com> wrote:
> > On Apr 6, 2005 1:51 PM, Robert Zagarello <bzag0@yahoo.com> wrote:
> > >
> > > Kevin,
> > >
> > > My apache config file shows the realname enclosed in
> > > quotes with a terminating slash in the Alias
> > > directive, so try:
> > >
> > > Alias /excessinvarch/ "/home/kdo/working/excessinv/"
> > >
> > 
> > Thanks for your help.  I think that the problem is file system
> > permissions.  My Apache processes are running as user and group
> > "apache", but the data under /home/kdo/working/excessinv is (of
> > course) owned by user "kdo".
> > 
> > One "fix" is to set all the permissions on my directories under
> > /home/kdo to 777.  It's insecure though.  Isn't there a way to tell
> > apache who own's a certain directory?  Maybe with the user and group
> > commands in a <Directory> block?
> > 
> > Any help is appreciated!
> > Kevin
> > --
> > Kevin Old
> > kevinold@gmail.com
> > 
> 
> One final note, the error I'm getting when trying to access the alias
> is a 403 Forbidden.
> 
> 

There is no way for apache to use any user or group statements in
httpd.conf to read files for which its user has no permissions in the
filesystem.  You may start Apache as root, but it immediately switches to
the defined user once the tasks needing root privileges are done, which is
usually just opening the privileged port 80.  My understanding is that it
does not retain any root privileges after that, so buffer overruns and
similar exploits don't give root access.  Your best bet is to change the
group on the required directory to 'apache', then allow group read/execute
on the directory (sudo chgrp -r apache /home/kdo; sudo chmod -R g+X
/home/kdo;  sudo chmod -R g+r /home/kdo/working/excessinv).

-- 
Craig Dunigan



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message