httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kurtis Rader <kra...@skepticism.us>
Subject Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?
Date Thu, 10 Mar 2016 02:29:25 GMT
On Wed, Mar 9, 2016 at 6:17 PM, Francis Roy <lists@unimportantstuff.com>
wrote:

> On 16-03-09 08:44 PM, Eric Covener wrote:
>
>> If you want to serve out of your home directory, it needs to be
>> executable by "other".
>>
>
> Thank you, Eric and Kurtis, both. That was the problem.
>
> I did the following:
>    sudo chmod 755 /home/username
>
> If I may, a follow-up question: does this create a potential security
> vulnerability on my machine that I should find measures of protecting?


Probably not but it's not the sort of question anyone can answer without
spending a few days reviewing your situation. The reason most UNIX distros
create the home directory for a user with mode 750 (no public access) is to
make it impossible for other accounts on the machine, which aren't a member
of your primary group, to guess whether a file is present by exploiting the
search capability. In other words, if you've done "chmod 751" then even if
I'm not a member of the group that owns your home directory I can execute
"ls /media/username/$filename" commands (or equivalent) to probe whether
$filename exists. It's a potential information leak that could
theoretically be used to launch an attack. Whether that's a concern for you
depends on a lot of factors.

-- 
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank

Mime
View raw message