From owner-freebsd-questions@FreeBSD.ORG Wed Feb 11 19:52:59 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 98DD010656BA for ; Wed, 11 Feb 2009 19:52:59 +0000 (UTC) (envelope-from andrew@qemg.org) Received: from mailserv.mta.ca (mailserv.mta.ca [138.73.1.1]) by mx1.freebsd.org (Postfix) with ESMTP id 5727C8FC1C for ; Wed, 11 Feb 2009 19:52:59 +0000 (UTC) (envelope-from andrew@qemg.org) Received: from [138.73.29.51] (helo=qemg.org) by mailserv.mta.ca with esmtp (Exim 4.61) (envelope-from ) id 1LXKjF-00009B-3e; Wed, 11 Feb 2009 15:26:37 -0400 Date: Wed, 11 Feb 2009 15:27:55 -0400 (AST) From: "A. Wright" To: Keith Palmer In-Reply-To: <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> Message-ID: References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <20090211181843.GA41237@slackbox.xs4all.nl> <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-questions@freebsd.org Subject: Re: Restricting users to their own home directories / not letting users view other users files...? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2009 19:53:00 -0000 On Wed, 11 Feb 2009, Keith Palmer wrote: > What if I symlinked each home user's public_html directory to a directory > readable only by Apache? Would Apache be able to read the destination > directory via the symlink, even if it doesn't have permission to access > the destination directory? You can do something like this easily. Assuming you have access to the Apache config, you can setup Apache to look in a location other than /home/${USER} for the public_html directories. Let us call this /web/${USER}. If you create a directory here for each actual user, and create a user-owned public_html directory within it, then you can make your symlinks from the "real" home directory to this location. Apache can happily operate on the assumption that ${HOME} for each user is /web/${USER}. Look for UserDir in the Apache config httpd.conf (for 1.3) or the httpd-userdir.conf file (for 2.2). > Is there really no better way to do this...?!? Even easier is to simply set the default umask for your users (say to 077) in the system-wide shell initialization for your users' favourite shells. Then new files will be unreadable, and new directories unbrowsable. User "A" will be able to see if "B" has created a file in their home dir, but not what is in it, nor anything below the home directory point. This is what most systems do -- if people want their items completely private, they can put them in a sub-dir. Users can still "give away" privacy by resetting umask or using chmod, but they could do that in any case, if you allow more than one account per machine (or jail). Cheers, Andrew.