Re: [Gnump3d-users] Re: blank page as result when accessing the root of gnump3d-server

[Brandon Kuczenski]

On Mon, 7 May 2007, Markus Drexelius wrote:

> Hi Brandon!
>
> I have fixed the problem: the parent folder of the MP3-root folder didn't
> have read and execute permissions for "others" (but for the group where I
> have included the user "gnump3d").
>
> Now after "o+x" and "o+r" it works fine.
>
> One (maybe silly) last question: when I enter "groups gnump3d" the result
> is: "gnump3d : nogroup gemeinsam"

'nogroup' is the default group for the user 'nobody' and for other users 
that don't normally need access to things-- just another group.  If you 
like, you could change the default group for gnump3d to 'gemeinsam' by 
editing the passwd file (using the command vipw as root) but it shouldn't 
matter.  If you'd like, take a look at the files /etc/passwd and 
/etc/group and the man pages for passwd(5) and group(5).


> I am asking that, because the group access should permit the user gnump3d
> to have execute-access to the parent folder of MP3-root...
>
> So I can't explain to myself, why it doesn't work before, only when I give
> execute permissions for everybody it works fine...


I guess this depends on the way gnump3d is coded, but I would think that
when you connect from another computer you are a member of the 'others', so
even if gnump3d can access the pages it cannot show them to you.  It would
have to override the permissions that prevented you from reading-- which
would mean gnump3d would have to be the owner of the files in order to do
that.  FWIW, I think the gnump3d user should definitely NOT be the owner of
the files it's serving.

Interestingly, I don't think you need 'read' permissions on all the parent
directories, but you do need 'execute'.  You don't want to look in the room,
only pass through it (maybe with your eyes closed).

> Normally I want to give only very restrictive rights to access anything on
> my server, so giving everybody directory-listing (execute) and read access
> to a directory where other data/directories are stored is not in this
> sense of security...

Often files being readable (and directories executable) are not generally
considered to be security risks, since most of the time they are not being
accessed by their owner (which is often root) anyway.  Proper use of the
system usually necessitates world-readable access [at the filesystem level].
Especially material that is intended to be shared with the world should be
freely available to everyone on the computer.

If you are concerned about giving world-read permissions to parent
directories, create a new, non-secure directory (say, in /usr/local/share--
stuff meant to be shared) and put your MP3 collection there.

Regards,
Brandon