Talk:Access Control Lists

From ArchWiki
Jump to: navigation, search

Increase security of your web server

I struggled understanding the last revision of this section. I tried to reproduce it in a more clear way, but I'm not sure I achieved what the original author was trying to do.

I still think that the example lacks necessary real world applicability. If at all, the web server should only have access to a specific folder within the user's home directory.

Any more suggestions?

Original section

You can now add permissions to our home directory and/or site directory only to nobody user any anyone else - without "whole world" to increase your security.

Add permissions +x for nobody user on your home directory via ACL:

# setfacl -m "u:nobody:--x" /home/homeusername/

Now you can remove whole world rx permissions:

# chmod o-rx /home/homeusername/

Check our changes:

# file: username/
# owner: username
# group: users
user::rwx
user:nobody:--x
group::r-x
mask::r-x
other::---

As we can see others do not have any permissions but user nobody have "x" permission so they can "look" into users directory and give access to users pages from their home directories to www server. Of course if www server work as nobody user. But - whole world except nobody - do not have any permissions.

—This unsigned comment is by Foggs (talk) 13 April 2015 20:46. Please sign your posts with ~~~~!

Is the section relevant only for Apache or also other web servers? -- Lahwaacz (talk) 10:16, 17 April 2015 (UTC)