[CentOS] Using Samba to share Apache web root, securely
Leonard den Ottolander
leonard at den.ottolander.nl
Thu Aug 11 06:33:30 UTC 2011
Hello Craig,
On Wed, 2011-08-10 at 18:18 -0700, Craig White wrote:
> please explain to me how the above octal permissions with user root &
> group department_a translate to giving apache write access or even world
> write access.
I think you misunderstood what I meant... I claimed that if apache is no
part of the department_a group the only way to give apache write access
is by giving the world write access. With the setup as you suggested it
is impossible to give apache write access without giving the whole world
write access where apache needs to write.
Of course with my setup the problem is apache has write access
everywhere the group has write access (using 2770 for directories).
(The approach of adding apache to a shared user-apache group does work
well for single user directories. Using 2750 for apache read and 2770
for apache write. Perhaps an smb mapping to a user on the affected
shares fixes the issue with my approach.)
<snip sarcasm>
> I think this is reasonably secure configuration.
Perhaps the setup you suggest is the best approach, but it has it's
limitations. It makes it impossible to give apache write access to
certain directories without giving the world write access there, and it
makes it impossible to use php with safe_mode.
Regards,
Leonard.
--
mount -t life -o ro /dev/dna /genetic/research
More information about the CentOS
mailing list