On Mon, 17 Apr 1995, Baba Z Buehler wrote: > > the httpd process will read files with the permissions of the user it is > running as. if you run your httpd as root, then you've got a problem. So it's OK for the rest of the net to read any files a non-privileged user can read ? > run httpd as user 'nobody' or some such, and you won't have this problem. Except in the scenario Mr Pink described, if they had not had shadow passwords but /etc/passwd mode 644 then of course 'nobody' _could_ read that, as well as every other file on the system that is world-readable. Unfortunately just running as 'nobody' is not enough, you have to either disallow the following of symlinks in user directories (which is a good idea anyway), choose which users can have symlinks and have a more complex access list (this is NCSA httpd, I don't know about the CERN version), or lastly just allow any user to give the network read access to your system (may be option for those in a secure environment or who trust all the users on the system). Regards, Martin. ---------------------------------------------------------------- | Martin Hargreaves, ch11mh@surrey.ac.uk| | Undergraduate Computational Chemist | | WWW Server Admin http://www.chem.surrey.ac.uk| ----------------------------------------------------------------