Dave Anders wrote: > I changed > drwxr-xr-x 7 nobody home 4096 Mar 13 11:15 > /home/sites/home > to > drwxr-xr-x 7 admin home 4096 Mar 13 11:15 > /home/sites/home > (Command chown -R admin home)
OK, care required here... <snip> > User alfred or peter is able to enter into that directory using the > UNIX command cd /home/sites/home successfully. Yes they are, because 'everybody' has read and execute (or search) privileges. That's what the drwxr-xr-x means, as Jeff explained earlier. Sure, you could take the permissions off, but that would render your webserver inoperable. Also, by making that change you've probably rendered FTP and FrontPage uploads inoperable too. I know this has been explained previously, but I'll reiterate it: ALL files on the system which need to be reachable from a web browser via the Apache server MUST have permissions for 'everybody' to access them. Not to write them, necessarily (as that's obviously bad) but certainly to read & execute them. > Why is alfred allowed to enter into a directory which is > owned by admin. See above. They have permission to, regardless of owner. > Since 1997 I'm working with Linux Red Hat. > I've never seen such Linux configuration before. I've been working with various flavours of UNIX since about that time too, and also with Macs, Windows systems, and so on. This is a fundamental setting issue with webservers on multi-user systems: the webserver runs as a specific user (nobody, www, apache, whatever). That user MUST be able to read the files in the website directories. That means _either_ the webserver user must be in all the relevant groups (messy, potentially fatal as the groups file or group entries can grow too large), or all web users must be in the same group as the webserver user (same problems); or all web directories *and the paths to them* must be readable by that user. That means 'everybody', since we already discounted the groups. HTH Graeme -- Graeme Fowler System Administrator Host Europe Group PLC _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
