On 23 December 2012 16:23, Barney Wolff <[email protected]> wrote: [moving Barney's top post down]
> On Sun, Dec 23, 2012 at 10:51:24AM -0500, Mikhail T. wrote: >> On 23.12.2012 03:05, Charlie Root wrote: >> > Checking negative group permissions: >> > 8903027 -rw--w-r-- 1 mi www 794277 Oct 23 07:47:45 2007 >> > /home/mi/public_html/syb/order/download.log >> Hello! >> >> The above started to appear in the daily security run output after I >> upgraded to 9.1. I don't understand, what this check is doing or why the >> above file is reported -- what's abnormal (warning-worthy) about >> allowing the web-server to write to, but not read a file? I did it on >> purpose to keep all files associated with a project together, but >> without inadvertently serving some of them... > > The r for other means that you have not accomplished your goal. It makes > no sense to have group with less permission that other, so the script is > warning of a misconfiguration. Not at all; anything in www group can't read the file, which is what Mikhail wants to do. If he has thought about the consequences of exactly what this means; i.e. normal users can read-only, www group can write-only, mi can read/write, then he can ignore the warning. Negative group permissions are sometimes useful, that's why they're allowed. >> I understand, I can explicitly disable it, but I'm curious... Whether it >> should run by default or not, what is the purpose of it? They involve a lot of thought to get right, as well as chmod g-w on something where you probably meant chmod go-w is a disastrous but (perhaps) common error. Chris _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[email protected]"
