> On 18 Jun2021, at 2:13 PM, Bill Cole
> <[email protected]> wrote:
>
> On 2021-06-18 at 10:17:13 UTC-0400 (Fri, 18 Jun 2021 10:17:13 -0400)
> Murray Eisenberg <[email protected]>
> is rumored to have said:
>
>> Indeed,
>>
>> sudo chmod a+x /Users /Users/me /Users/me/Sites
>>
>> fixed the permissions access problem.
>> ...
>
> The requirement is that the user running httpd must have search access on the
> whole tree above anywhere httpd is serving files from. The precise meaning of
> the 'search' permission (i.e. the 'execute' bit on a directory) is not
> intuitive or even well documented. It is simply the ability to access nodes
> within the directory based on those nodes' permissions, provided the caller
> knows the name of the item being accessed. Without search permission it
> simply does not matter what the permissions on items below the directory
> might be, they cannot be accessed. If you are concerned with other users
> (i.e. processes running as other users, such as 'daemon' which runs httpd
> under MacPorts) you can 'chmod a-r' on those directories to block reading of
> the directories themselves (i.e. the list of names of sub-nodes.)
>
> You can provide the search permission via the basic rwx by user/group/all
> mechanism or by extended ACLs, but you cannot create a deep space of access
> without a path from above….
With macOS 11.4 at least, the command
chmod a-r /Users
and even
sudo chmod a-r /Users
gives error "chmod: Unable to change file mode on /Users: Operation not
permitted”.
(By contrast, making the change for /Users/me and /Users/me/Sites is OK.)
---
Murray Eisenberg [email protected]
503 King Farm Blvd #101
Rockville, MD 20850-6667 Mobile (413)-427-5334
