On 08/13/2018 10:45 AM, info at smallinnovations dot nl wrote: > On 13-08-18 09:40, Lars Noodén wrote: >> On 08/13/2018 10:36 AM, info at smallinnovations dot nl wrote: >>> On 13-08-18 09:31, Lars Noodén wrote: >>> >>> <snip> >>> I worked the other way, Apache is able to work with symlinks. I only >>> needed to make www-data member of the users group. >> Eek. Think instead 'least privilege' That would be one situation where >> adding an ACL would work. That would avoid giving away (potentially) >> all the user's files to the web server. >> >> /Lars > > It is not really different from allowing user access to > /var/www/html/website. When a user puts all his user's files there (s)he > give away (potentially) all the files to the webserver too.
As a member of the user's group, if something breaks out of the web server's document root then it has full read access to ~user and its subdirectories. In some files or directories that could also be write access. ACLs are a pain though since they are rarely used and can be complicated. /Lars _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
