Date: Wed, 11 Feb 2009 10:12:31 -0900 From: Mel <fbsd.questions@rachie.is-a-geek.net> To: freebsd-questions@freebsd.org Cc: Keith Palmer <keith@academickeys.com> Subject: Re: Restricting users to their own home directories / not letting users view other users files...? Message-ID: <200902111012.31468.fbsd.questions@rachie.is-a-geek.net> In-Reply-To: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 11 February 2009 07:22:17 Keith Palmer wrote: > OK, I'm sure this question has been asked a million times, but I havn't > been able to find a straight answer that actually solves the problem, so > here goes. > > We have a FreeBSD server with multiple users. I would rather each user > *not* be able to view other users' files via an SSH or SFTP session. i.e. > if I'm logged in as "keith" I should *not* get a list of files when I do > "ls /home/shannon" > > I realize I can fix this by setting the permissions on the "/home/shannon" > directory to 700. *However* then Apache (running as user "www") won't > display the documents in "/home/shannon/public_html" from > "http://ip-address/~shannon/", instead returning a "403 Forbidden" error. > > > Sooo... how can I set this up so that users can't view other user's files, > but Apache still works? Your problem might be how they change the files, if via FTP, but... - Move the public_html dirs - chgrp www, chmod 640. - symlink in the home dir http://httpd.apache.org/docs/2.2/mod/mod_userdir.html#userdir Example: mkdir /var/userweb for USERDIR in /home/*; do if test -d ${USERDIR}/public_html; then destdir=/var/userweb/${USERDIR##/home/} mkdir ${destdir} mv ${USERDIR}/public_html ${destdir}/ ln -s ${destdir}/public_html ${USERDIR}/public_html chgrp -R www ${destdir}/public_html chmod -R u+w,g-w,o= ${destdir}/public_html fi done In httpd.conf: UserDir /var/userweb/*/public_html That said, I don't really understand your 'ls' paranoia. If you don't care about ls, you can set user's umask to 0027 and rechmod all files to 640. Have users in their own group and have */public_html group www. /home/username then has to have 755 in order for apache to get to public_html. -- Mel Problem with today's modular software: they start with the modules and never get to the software part.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200902111012.31468.fbsd.questions>