Mailinglist Archive: opensuse-security (138 mails)

< Previous Next >
Re: [suse-security] Ownership of Directories/Files under /srv/www/htdocs
  • From: Ingo Boernig <ingo@xxxxxxxxxx>
  • Date: Sat, 17 Dec 2005 23:20:08 +0100
  • Message-id: <200512172320.15765.ingo@xxxxxxxxxx>
Am Samstag, 17. Dezember 2005 22:10 schrieb Lucky Leavell:
> On Sat, 17 Dec 2005, Christian Boltz wrote:
> > BTW: Is there a specific reason why you want those files not to be
> > world-readable?
>
> Wouldn't that be a security risk?

No. Almost never. Those files in /srv/www/htdocs are normally public. Why are
you running a webserver for them?

Even if your webserver has some permission control, the server process must be
able to read these files. And if someone breaks apache, he inherits the
rights of the apache process.

The only situation where you may have to be concerned is if you're running
apache with authentication and protected files and additionlly another
service, independent of apache. If somebody manages to break into this other
service, he eventually can get access to world-readable files there.

Write permissions should be avoided if possible, though.

Ingo

> Thank you,
> Lucky

--
Ingo Börnig <ingo at boernig.de> /*\
\ / ASCII Ribbon Campaign
ask for phone or snail mail X against HTML email
/ \
GPG-Fingerprint: 2F8B DDFB F2A8 155A 206D 2969 F8FB 3C63 2033 BF32
< Previous Next >