On 2021-06-18 at 10:17:13 UTC-0400 (Fri, 18 Jun 2021 10:17:13 -0400)
Murray Eisenberg <[email protected]>
is rumored to have said:
Indeed,
sudo chmod a+x /Users /Users/me /Users/me/Sites
fixed the permissions access problem.
Is there some alternative way to fix this — by changing the owner of
just /Users/me/Sites and its tree of descendents and/or by changing
settings in the entries of
/opt/local/etc/apache2/extra/httpd-vhosts.conf ?
The requirement is that the user running httpd must have search access
on the whole tree above anywhere httpd is serving files from. The
precise meaning of the 'search' permission (i.e. the 'execute' bit on a
directory) is not intuitive or even well documented. It is simply the
ability to access nodes within the directory based on those nodes'
permissions, provided the caller knows the name of the item being
accessed. Without search permission it simply does not matter what the
permissions on items below the directory might be, they cannot be
accessed. If you are concerned with other users (i.e. processes running
as other users, such as 'daemon' which runs httpd under MacPorts) you
can 'chmod a-r' on those directories to block reading of the directories
themselves (i.e. the list of names of sub-nodes.)
You can provide the search permission via the basic rwx by
user/group/all mechanism or by extended ACLs, but you cannot create a
deep space of access without a path from above.
And if there is no such alternative, then why would permissions on
/Users, /Users/me, and /Users/me/Sites have changed away from a+x,
seemingly without my own intervention, during some macOS upgrade?
We do not know if it happened to all 3, as you did not show listings
showing those directories' permissions. I only advised you to chmod them
all because they all must have the permission and there's no effect of
adding a permission that already exists.
My guess is that at some point Apple decided to tighten up permissions
on home directories because it is simply a standard best practice. They
have been getting increasingly unilateral in their security decisions
since ~10.9 and removing world read and search/execute permissions from
home directories is a harmless tightening for the overwhelming majority
of Mac users.
--
Bill Cole
[email protected] or [email protected]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
