I would like to be able to open up AFP on the Users folder (it is by default), but here comes my concern. Some of the users will have their sites hosted in their user Sites folders, including some PHP config files, potentially containing mysql login information, etc. Accessing the site through the web is no problem, as Apache w/ PHP will never show content of the PHP code, however AFP will! Why does AFP allow read access to everyone's Sites folder??? How can I preserve AFP, so that users can read/write/manage their OWN site, but not be able to see/read someone else's?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Question about security of AFP, read access to files of other users
- Thread starter yogi799
- Start date
- Sort by reaction score
File/directory security is the only way to do this. File sharing uses both share security and file/directory security to allow access.
To allow this, you'll need:
1. User to have read/write access
2. Group with the Apache/WWW user in it to have read/execute.
3. Everyone else gets no access.
So, let's assume the Apache daemon runs as the user www and that user is a member of the group also called www. You can find this out by:
1. Start Apache.
2. ps -ef | grep httpd (note the 1st column should have the daemon user in it)
3. Then issue: id <username in step 2>
4. The first group listed should be the primary group for that user.
You would do the following for each Sites folder:
1. chown -R <username>:www /Users/<username>/Sites
2. find /Users/<username>/Sites -type -f -exec chmod 640 {} \;
3. find /Users/<username>/Sites -type -d -exec chmod 750 {} \;
That will:
1. Change the owner and group of the Sites folder to <username> and www group respectively.
2. Change the permissions on all files so that <username> has R/W, the www group has R/O, and nobody else has access.
3. Change the permissions on all directories so that <username> has R/W, the www group has R/O, and nobody else has access.
To allow this, you'll need:
1. User to have read/write access
2. Group with the Apache/WWW user in it to have read/execute.
3. Everyone else gets no access.
So, let's assume the Apache daemon runs as the user www and that user is a member of the group also called www. You can find this out by:
1. Start Apache.
2. ps -ef | grep httpd (note the 1st column should have the daemon user in it)
3. Then issue: id <username in step 2>
4. The first group listed should be the primary group for that user.
You would do the following for each Sites folder:
1. chown -R <username>:www /Users/<username>/Sites
2. find /Users/<username>/Sites -type -f -exec chmod 640 {} \;
3. find /Users/<username>/Sites -type -d -exec chmod 750 {} \;
That will:
1. Change the owner and group of the Sites folder to <username> and www group respectively.
2. Change the permissions on all files so that <username> has R/W, the www group has R/O, and nobody else has access.
3. Change the permissions on all directories so that <username> has R/W, the www group has R/O, and nobody else has access.
Oh, darn it. So I guess it ain't as simple as I hoped. Apparently there is no easy way to do this through Server Admin app. Thanks a lot for your help.
This is what I got, so what does this mean?
sh-3.2# ps -ef | grep httpd
0 10004 1 0 0:01.24 ?? 0:01.96 /usr/sbin/httpd -D FOREGROUND
70 18800 10004 0 0:00.02 ?? 0:00.07 /usr/sbin/httpd -D FOREGROUND
70 19185 10004 0 0:00.03 ?? 0:00.05 /usr/sbin/httpd -D FOREGROUND
0 19627 19126 0 0:00.00 ttys000 0:00.00 grep httpd
sh-3.2#