Question about security of AFP, read access to files of other users

Discussion in 'macOS' started by yogi799, Jun 30, 2009.

  1. yogi799 macrumors newbie

    Joined:
    Jun 30, 2009
    #1
    I would like to be able to open up AFP on the Users folder (it is by default), but here comes my concern. Some of the users will have their sites hosted in their user Sites folders, including some PHP config files, potentially containing mysql login information, etc. Accessing the site through the web is no problem, as Apache w/ PHP will never show content of the PHP code, however AFP will! Why does AFP allow read access to everyone's Sites folder??? How can I preserve AFP, so that users can read/write/manage their OWN site, but not be able to see/read someone else's?
     
  2. belvdr macrumors 601

    Joined:
    Aug 15, 2005
    #2
    File/directory security is the only way to do this. File sharing uses both share security and file/directory security to allow access.

    To allow this, you'll need:

    1. User to have read/write access
    2. Group with the Apache/WWW user in it to have read/execute.
    3. Everyone else gets no access.

    So, let's assume the Apache daemon runs as the user www and that user is a member of the group also called www. You can find this out by:

    1. Start Apache.
    2. ps -ef | grep httpd (note the 1st column should have the daemon user in it)
    3. Then issue: id <username in step 2>
    4. The first group listed should be the primary group for that user.

    You would do the following for each Sites folder:

    1. chown -R <username>:www /Users/<username>/Sites
    2. find /Users/<username>/Sites -type -f -exec chmod 640 {} \;
    3. find /Users/<username>/Sites -type -d -exec chmod 750 {} \;

    That will:

    1. Change the owner and group of the Sites folder to <username> and www group respectively.
    2. Change the permissions on all files so that <username> has R/W, the www group has R/O, and nobody else has access.
    3. Change the permissions on all directories so that <username> has R/W, the www group has R/O, and nobody else has access.
     
  3. yogi799 thread starter macrumors newbie

    Joined:
    Jun 30, 2009
    #3
    Oh, darn it. So I guess it ain't as simple as I hoped. Apparently there is no easy way to do this through Server Admin app. Thanks a lot for your help.
     
  4. yogi799 thread starter macrumors newbie

    Joined:
    Jun 30, 2009
    #4
    This is what I got, so what does this mean?

    sh-3.2# ps -ef | grep httpd
    0 10004 1 0 0:01.24 ?? 0:01.96 /usr/sbin/httpd -D FOREGROUND
    70 18800 10004 0 0:00.02 ?? 0:00.07 /usr/sbin/httpd -D FOREGROUND
    70 19185 10004 0 0:00.03 ?? 0:00.05 /usr/sbin/httpd -D FOREGROUND
    0 19627 19126 0 0:00.00 ttys000 0:00.00 grep httpd
    sh-3.2#
     
  5. belvdr macrumors 601

    Joined:
    Aug 15, 2005
    #5
    User id 70 appears to be the one. I believe you can run:

    id 70

    to determine the group to be used.
     

Share This Page