apache doc folder permissions problem

Bill Cole macportsusers-20171215 at billmail.scconsult.com
Fri Jun 18 18:13:08 UTC 2021 

On 2021-06-18 at 10:17:13 UTC-0400 (Fri, 18 Jun 2021 10:17:13 -0400)
Murray Eisenberg <murrayeisenberg at gmail.com>
is rumored to have said:

> Indeed,
>
> 	sudo chmod a+x /Users /Users/me /Users/me/Sites
>
> fixed the permissions access problem.
>
> Is there some alternative way to fix this — by changing the owner of 
> just /Users/me/Sites and its tree of descendents and/or by changing 
> settings in the entries of
>  /opt/local/etc/apache2/extra/httpd-vhosts.conf ?

The requirement is that the user running httpd must have search access 
on the whole tree above anywhere httpd is serving files from. The 
precise meaning of the 'search' permission (i.e. the 'execute' bit on a 
directory) is not intuitive or even well documented. It is simply the 
ability to access nodes within the directory based on those nodes' 
permissions, provided the caller knows the name of the item being 
accessed. Without search permission it simply does not matter what the 
permissions on items below the directory might be, they cannot be 
accessed. If you are concerned with other users (i.e. processes running 
as other users, such as 'daemon' which runs httpd under MacPorts) you 
can 'chmod a-r' on those directories to block reading of the directories 
themselves (i.e. the list of names of sub-nodes.)

You can provide the search permission via the basic rwx by 
user/group/all mechanism or by extended ACLs, but you cannot create a 
deep space of access without a path from above.

> And if there is no such alternative, then why would permissions on 
> /Users, /Users/me, and /Users/me/Sites have changed away from a+x, 
> seemingly without my own intervention, during some macOS upgrade?

We do not know if it happened to all 3, as you did not show listings 
showing those directories' permissions. I only advised you to chmod them 
all because they all must have the permission and there's no effect of 
adding a permission that already exists.

My guess is that at some point Apple decided to tighten up permissions 
on home directories because it is simply a standard best practice. They 
have been getting increasingly unilateral in their security decisions 
since ~10.9 and removing world read and search/execute permissions from 
home directories is a harmless tightening for the overwhelming majority 
of Mac users.


-- 
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

More information about the macports-users mailing list