httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kurtis Rader <kra...@skepticism.us>
Subject Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?
Date Thu, 10 Mar 2016 02:47:18 GMT
On Wed, Mar 9, 2016 at 6:38 PM, Francis Roy <lists@unimportantstuff.com>
wrote:
>
> Thank you that answers my question quite nicely. It's not a giant flag
> waving at the internet, but if someone got a hold of my machine directly,
> it could provide a small bit of information used in a general strategy.


Just to be pedantic "they" don't have to get a hold of your machine
directly. If the attacker can install software of their choosing, say by
exploiting a vulnerability in your web server, then that software could
exploit the looser permissions on your home directory. But that is moot
given that you already had to grant the web server access to your home
directory in order to support your requirements. The concern now is whether
user accounts on your machine other than the one running the apache web
server can exploit those looser permissions.

-- 
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank

Mime
View raw message