apache doc folder permissions problem

Fri Jun 18 18:33:43 UTC 2021

> On 18 Jun2021, at 2:13 PM, Bill Cole <macportsusers-20171215 at billmail.scconsult.com> wrote:
> 
> On 2021-06-18 at 10:17:13 UTC-0400 (Fri, 18 Jun 2021 10:17:13 -0400)
> Murray Eisenberg <murrayeisenberg at gmail.com>
> is rumored to have said:
> 
>> Indeed,
>> 
>> 	sudo chmod a+x /Users /Users/me /Users/me/Sites
>> 
>> fixed the permissions access problem.
>> ...
> 
> The requirement is that the user running httpd must have search access on the whole tree above anywhere httpd is serving files from. The precise meaning of the 'search' permission (i.e. the 'execute' bit on a directory) is not intuitive or even well documented. It is simply the ability to access nodes within the directory based on those nodes' permissions, provided the caller knows the name of the item being accessed. Without search permission it simply does not matter what the permissions on items below the directory might be, they cannot be accessed. If you are concerned with other users (i.e. processes running as other users, such as 'daemon' which runs httpd under MacPorts) you can 'chmod a-r' on those directories to block reading of the directories themselves (i.e. the list of names of sub-nodes.)
> 
> You can provide the search permission via the basic rwx by user/group/all mechanism or by extended ACLs, but you cannot create a deep space of access without a path from above….

With macOS 11.4 at least, the command 

	chmod a-r /Users

and even

	sudo chmod a-r /Users

gives error "chmod: Unable to change file mode on /Users: Operation not permitted”.

(By contrast, making the change for /Users/me and /Users/me/Sites is OK.)

---
Murray Eisenberg			murrayeisenberg at gmail.com
503 King Farm Blvd #101	
Rockville, MD 20850-6667	Mobile (413)-427-5334

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20210618/a798a518/attachment.htm>