httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: [users@httpd] USER directive in MPM_WINNT?
Date Wed, 05 Mar 2003 18:05:14 GMT
At 10:58 PM 3/4/2003, Veydajar wrote:
>From: "William A. Rowe, Jr."
>Sent: Tuesday, March 04, 2003 5:02 PM
>
>> >Hmmm... Is this even necessary for Windows?
>>
>> Oh, very strongly encouraged.  But then you need to take the time and lock
>> down your files that 'normal users' wouldn't have permission to touch
>(e.g.
>> c:\Windows, c:\program files, etc) and then open up permissions (e.g.
>those
>> programs who in 2003 still insist on writable program files folders,
>instead
>> of per-user files under the \windows\profiles or \documents and settings
>trees.)
>
>Hmmm. That is, if I make the new user account a member of Users group?
>What if I make it a member of Guests group - then it would have close to
>nil privileges, all I'd have to do is explicitly allow it (the account, not
>a group)
>to access Apache and DocRoot. Or, I could even create a new group for that..
>
>Are my thoughts heading the right way?

Agreed 100%.  Realize you need to grant at least 'Directory List' access to
each directory between your drive root and the content you are serving.

E.g. Apache needs to know that Progra~1 == "Program Files" so that folks
can't walk around the aliases to bypass your <Directory > and <Files >
protection blocks.  That means that Apache must be able to see the files
in c:\, c:\Program Files\.  c:\Program Files\Apache Group\ etc.  It doesn't
need read access to the files in all those directories, only within the Apache
directory tree.  And it needs read/write access to your Apache\logs directory.

>> Because most users don't go that extra step, Apache 'by default' makes no
>> assumptions.
>
>Assumptions about what, if I may ask?

That the user will be able to figure out how to properly apply protections and
still have a runable server.

My hint to novices to this, feel free to start out with a member of the Guests
group, but create it at first as an interactive account; first try to run the
Apache -t command to test your config.  Fix the access you need.  Then
run Apache as a console command to help troubleshoot what it isn't doing
correctly, like invoking your cgi scripts.  After all that is done (from that
Guest login) things should work fine as-a-service.

Bill 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message