Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 11 Feb 2009 19:34:44 +0000
From:      Chris Rees <utisoft@googlemail.com>
To:        Paul Schmehl <pschmehl_lists@tx.rr.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Restricting users to their own home directories / not letting  users view other users files...?
Message-ID:  <b79ecaef0902111134y2f1d14bav32dae5ef83416b21@mail.gmail.com>
In-Reply-To: <F41F7727070FF48ED4A2BCB1@utd65257.utdallas.edu>
References:  <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <20090211181843.GA41237@slackbox.xs4all.nl> <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> <F41F7727070FF48ED4A2BCB1@utd65257.utdallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
2009/2/11 Paul Schmehl <pschmehl_lists@tx.rr.com>:
> --On Wednesday, February 11, 2009 12:38:33 -0600 Keith Palmer
> <keith@academickeys.com> wrote:
>
>>
>>
>> ... really? Write a script to copy the user's files over on a schedule...?
>>
>> I can see where that might be an option for some people, but that's
>> entirely not an option in this case. I'd have to schedule it to run every
>> 5 seconds or something to keep users from getting upset.
>>
>>
>> What if I symlinked each home user's public_html directory to a directory
>> readable only by Apache? Would Apache be able to read the destination
>> directory via the symlink, even if it doesn't have permission to access
>> the destination directory?
>>
>
> Why can't you chgroup and setgid the homedirs to www?  (Or whatever account
> the web server is running under.)  You really have two requirements:
>
> 1) Users can't see other users' files
> 2) The web server can read all users' web files
>
> So you chmod the homedirs to 750/640, and chgroup the dirs and files to www,
> then set the sticky bit for the group, and you're done.  Seems to me that's
> the simplest way to go about it.  Setting the sticky bit ensures that any
> new files created by a user will have www as the group.

Sticky doesn't... it's sgid you want.

Sticky means that only the creator (owner) can use unlink on the file.

Chris

-- 
R< $&h ! > $- ! $+	$@ $2 < @ $1 .UUCP. > (sendmail.cf)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b79ecaef0902111134y2f1d14bav32dae5ef83416b21>