[tex-live] updmap and /

Reinhard Kotucha reinhard.kotucha at web.de
Tue Mar 3 03:20:26 CET 2009 

On 2 March 2009 Heiko Oberdiek wrote:

 > > Some time ago I did this (as root):
 > > 
 > >   chmod 700 /home/*
 > > 
 > > Looks reasonable at a first glance, right?  But it didn't work.
 > > 
 > > One of the reasons the most critical programs (Postfix, Apache,...)
 > > are so secure is that these programs do most of their work as
 > > unprivileged users rather than with root permissions.  
 > > 
 > > So, what's wrong with "chmod 700 /home/*"?
 > 
 > Nothing. ;-)
 > 
 > > If the /home/* directories are not executable by everyone, then Apache
 > > is not able to access the /home/*/public_html files.
 > 
 > Not everyone does have something inside public_html.
 > However the others have to enable executive permission, e.g.
 >   chmod 711 /home/user_with_public_html_files

That's right, but I must admit that I didn't notice myself that
changing the permissions had an impact on Apache.  I had been told by
a user that ~/public_html didn't work.  I have access to the logs,
mortal users don't have.  And I'm pretty sure that an empty directory
doesn't cause any harm.

 > But making it readable for others means that they can easily look
 > into the directory and perhaps can even read files that are meant
 > to be private.

But ~/public_html usually doesn't contain anything private.  The
content has to be readable by unprivileged users (like Apache) and of
course, Apache needs "exec" permissions in order to 
"cd /home/user/public_html".  But whether anything else is readable by
anybody else depends on umask.  I don't think that it's dangerous to
grant "exec" permissions to a particular directory.

 > > It doesn't make sense to be too restrictive.  And paranoia is a
 > > medical condition rather than an instrument to achieve security.
 > 
 > But you need paranoia for security, thus the art is finding
 > the right balance depending on the circumstances.

I distinguish between being careful and being paranoid.  If you want
to make your system more secure, you have to find out first how things
work and configure them with care.  Paranoia is something completely
different.  Paranoids have problems with things which actually exist
only in their mind.

Regards,
  Reinhard

-- 
----------------------------------------------------------------------------
Reinhard Kotucha			              Phone: +49-511-3373112
Marschnerstr. 25
D-30167 Hannover	                      mailto:reinhard.kotucha at web.de
----------------------------------------------------------------------------
Microsoft isn't the answer. Microsoft is the question, and the answer is NO.
----------------------------------------------------------------------------

More information about the tex-live mailing list