Restricting users to their own home directories / not letting
users view other users files...?
Paul Schmehl
pschmehl_lists at tx.rr.com
Wed Feb 11 11:23:25 PST 2009
--On Wednesday, February 11, 2009 12:38:33 -0600 Keith Palmer
<keith at academickeys.com> wrote:
>
>
> ... really? Write a script to copy the user's files over on a schedule...?
>
> I can see where that might be an option for some people, but that's
> entirely not an option in this case. I'd have to schedule it to run every
> 5 seconds or something to keep users from getting upset.
>
>
> What if I symlinked each home user's public_html directory to a directory
> readable only by Apache? Would Apache be able to read the destination
> directory via the symlink, even if it doesn't have permission to access
> the destination directory?
>
Why can't you chgroup and setgid the homedirs to www? (Or whatever account the
web server is running under.) You really have two requirements:
1) Users can't see other users' files
2) The web server can read all users' web files
So you chmod the homedirs to 750/640, and chgroup the dirs and files to www,
then set the sticky bit for the group, and you're done. Seems to me that's the
simplest way to go about it. Setting the sticky bit ensures that any new files
created by a user will have www as the group.
So chown -R someuser:www /home/someuser
find /home/someuser -type d exec "chmod 2750 {}" \;
find /home/someuser -type f exec "chomd 2640 {}" \;
(Might have my syntax on the find command messed up a bit. Make sure to man
that.)
If your users have their webfiles in /home/someuser/public_html, then you only
need to setgid that dir and its subdirs, no the user's homedir.
--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
Check the headers before clicking on Reply.
More information about the freebsd-questions
mailing list