In order for Apache to access the files it is serving correctly, you should set the virtual directory tree as follows, e.g.
set file/owner=apache$www/prot=(s:rwed,o:rwed,g,w) [.root...]*.* /log
Where root is the parent folder in the virtual directory.
Virtual Directory Security
-
WillemGrooters
- VMS Guru
- Posts: 59
- Joined: Wed Jul 20, 2005 10:17 am
- Location: Netherlands
- Contact:
Safer, and more flexible:
This allows Apache to access the files for read only; only if WRITE or DELETE is required, these can be added in the access parameter.
Yet, the owner of the file can still acess them, and have full control.
A more elaborate (Machiavellian?) way (based on "Devide and Rule"
)
* Define an identifier to be owner of the direcory and files
* Now set all files and directories to be owned by the identifier for this
* Define identifiers to control file access. You can do with one giving full access, or a number of one for restricted access to the directories and files, based on the user's functional requirements.
* Set up ACL for each of these identifiers that control access on each file.
So you get:
so TheBoss is owner (and can do everything because of that) of all the files, and Subsidiary can update the files - and create new ones.
* Users that require access are granted the identiefier(s) fit for their ask. Except, of course, APACHE$WWW, it's better to have APACHE$WWW have it's own ACL as above.
So if I were grated TheBoss, I'd be able to delete it alll, when granted just Subsidiary I could not. If none were granted, I have no access at all - except via the webserver.
Code: Select all
set secu/acl=(id=apache$www, access=READ) [.root...]*.*/excl=*.dir
set secu/acl=(id=apache$www, access=READ+EXECUTE) [.root...]*.dir
set secu/acl=(id=apache$www, access=READ)/DEFAULT [.root...]*.dirYet, the owner of the file can still acess them, and have full control.
A more elaborate (Machiavellian?) way (based on "Devide and Rule"
)* Define an identifier to be owner of the direcory and files
* Now set all files and directories to be owned by the identifier for this
* Define identifiers to control file access. You can do with one giving full access, or a number of one for restricted access to the directories and files, based on the user's functional requirements.
* Set up ACL for each of these identifiers that control access on each file.
So you get:
Code: Select all
Set file/owner=TheBoss [.root...]*.*;*
set secu/prot=(s:wred,o:wred,g,w) [.root...]*.*;*
set secu/acl=(id=TheBoss, access=DELETE+WRITE+READ+EXECUTE) [.root...]*.*/excl=*.dir
set secu/acl=(id=Subsidiary, access=WRITE+READ+EXECUTE) [.root...]*.*/excl=*.dir
set secu/acl=(id=Subsidiary, access=WRITE+READ+EXECUTE) [.root...]*.dir* Users that require access are granted the identiefier(s) fit for their ask. Except, of course, APACHE$WWW, it's better to have APACHE$WWW have it's own ACL as above.
So if I were grated TheBoss, I'd be able to delete it alll, when granted just Subsidiary I could not. If none were granted, I have no access at all - except via the webserver.