httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francis Roy <li...@unimportantstuff.com>
Subject Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?
Date Thu, 10 Mar 2016 02:38:54 GMT
On 16-03-09 09:29 PM, Kurtis Rader wrote:
> On Wed, Mar 9, 2016 at 6:17 PM, Francis Roy <lists@unimportantstuff.com
>     If I may, a follow-up question: does this create a potential
>     security vulnerability on my machine that I should find measures of
>     protecting?

> Probably not but it's not the sort of question anyone can answer without
> spending a few days reviewing your situation. The reason most UNIX
> distros create the home directory for a user with mode 750 (no public
> access) is to make it impossible for other accounts on the machine,
> which aren't a member of your primary group, to guess whether a file is
> present by exploiting the search capability. In other words, if you've
> done "chmod 751" then even if I'm not a member of the group that owns
> your home directory I can execute "ls /media/username/$filename"
> commands (or equivalent) to probe whether $filename exists. It's a
> potential information leak that could theoretically be used to launch an
> attack. Whether that's a concern for you depends on a lot of factors.

Thank you that answers my question quite nicely. It's not a giant flag 
waving at the internet, but if someone got a hold of my machine 
directly, it could provide a small bit of information used in a general 
strategy.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message