On 2021-06-18 at 14:33:43 UTC-0400 (Fri, 18 Jun 2021 14:33:43 -0400)
Murray Eisenberg <murrayeisenb...@gmail.com>
is rumored to have said:
On 18 Jun2021, at 2:13 PM, Bill Cole
<macportsusers-20171...@billmail.scconsult.com> wrote:
On 2021-06-18 at 10:17:13 UTC-0400 (Fri, 18 Jun 2021 10:17:13 -0400)
Murray Eisenberg <murrayeisenb...@gmail.com>
is rumored to have said:
Indeed,
sudo chmod a+x /Users /Users/me /Users/me/Sites
fixed the permissions access problem.
...
The requirement is that the user running httpd must have search
access on the whole tree above anywhere httpd is serving files from.
The precise meaning of the 'search' permission (i.e. the 'execute'
bit on a directory) is not intuitive or even well documented. It is
simply the ability to access nodes within the directory based on
those nodes' permissions, provided the caller knows the name of the
item being accessed. Without search permission it simply does not
matter what the permissions on items below the directory might be,
they cannot be accessed. If you are concerned with other users (i.e.
processes running as other users, such as 'daemon' which runs httpd
under MacPorts) you can 'chmod a-r' on those directories to block
reading of the directories themselves (i.e. the list of names of
sub-nodes.)
You can provide the search permission via the basic rwx by
user/group/all mechanism or by extended ACLs, but you cannot create a
deep space of access without a path from above….
With macOS 11.4 at least, the command
chmod a-r /Users
and even
sudo chmod a-r /Users
gives error "chmod: Unable to change file mode on /Users: Operation
not permitted”.
Which indicates that Apple has decided to add /Users to the creeping
expanse of files and directories behind the Iron Curtain of SIP.
Consider yourself Protected.
(By contrast, making the change for /Users/me and /Users/me/Sites is
OK.)
I guess they are waiting for OS 12 to lock those down...
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire