Re: [BackupPC-users] Permissions on files edited via GUI (V3 Beta)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Craig Barratt <cba...@us...> wrote on 12/22/2006 
07:29:53 AM:

> Tim writes:
> 
> > I have a problem with the permissions on configuration files modified 
by
> > the BackupPC GUI.  The files are given 644 permissions, and owned by
> > backuppc:apache.
> > 
> > This is a problem.  With 644 permissions, my rsyncd passwords are now
> > world-readable.  That is a deal-killer.  Also, from my tests it does 
not
> > seem that apache needs to have group ownership.  After all, the CGI 
script
> > is running setuid as backuppc, right?
> 
> It's usually a higher-level directory that protects these
> files from access.  Can you check the parent directories?

They are all 755, IIRC.  However, I was the one that set them that way: 
there was a permission problem in getting the system to run in the first 
place, which I fixed with a chmod -R 755.  I don't remember the exact 
details, but I belive that config.pl was set with permissions that 
prevented the CGI script from accessing it.  However, I had manually set 
the .pl files to backuppc:backuppc 640.

> In any case, changing the modes to 640 sounds like a good
> idea.

What about group ownership by apache?  Is there any reason for this?  It 
doesn't seem like making the file readable by apache is such a good idea. 
It seems that any user would be able to create a CGI script to read the 
.pl files.  Is there an acutal reason for apache to be given group 
ownership?

However, if changing the permissions on the pc directory will fix this, 
then I will do that.

Thank you very much for your reply.  I eagerly look forward to 3.0.0!

Tim Massey