www-servers/cherokee runs as root by default (tested on cherokee-0.98.1). The ebuild does a enewgroup cherokee enewuser cherokee -1 -1 /var/www/localhost cherokee so I guess the intended behaviour is to run as user 'cherokee'. Adding server!user = cherokee server!group = cherokee to /etc/cherokee/cherokee.conf fixes this. In the default configuration, these variables are absent, causing cherokee to run as the invoking user. Reproducible: Always Steps to Reproduce: 1. Emerge cherokee-0.98.1 2. Put a textfile readable only by root in /var/www/localhost/htdocs 3. Access said file via the webserver Actual Results: File contents are displayed. Expected Results: File contents should not be displayed. A 403 should be displayed. Gotcha for testing: By default, cherokee does io-caching. Fiddling with permissions with the IO-cache on gives unexpected results. Disable the cache, or restart cherokee between each test.
Fixed in new version in CVS