Date: Wed, 11 Feb 2009 21:24:13 +0100 From: Roland Smith <rsmith@xs4all.nl> To: Paul Schmehl <pschmehl_lists@tx.rr.com> Cc: Keith Palmer <keith@academickeys.com>, freebsd-questions@freebsd.org Subject: Re: Restricting users to their own home directories / not letting users view other users files...? Message-ID: <20090211202413.GA44294@slackbox.xs4all.nl> In-Reply-To: <F41F7727070FF48ED4A2BCB1@utd65257.utdallas.edu> References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <20090211181843.GA41237@slackbox.xs4all.nl> <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> <F41F7727070FF48ED4A2BCB1@utd65257.utdallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--qDbXVdCdHGoSgWSk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Feb 11, 2009 at 01:23:23PM -0600, Paul Schmehl wrote:
> --On Wednesday, February 11, 2009 12:38:33 -0600 Keith Palmer=20
> <keith@academickeys.com> wrote:
>
> > ... really? Write a script to copy the user's files over on a schedule.=
=2E.?
> >
> > I can see where that might be an option for some people, but that's
> > entirely not an option in this case. I'd have to schedule it to run eve=
ry
> > 5 seconds or something to keep users from getting upset.
> >
> >
> > What if I symlinked each home user's public_html directory to a directo=
ry
> > readable only by Apache? Would Apache be able to read the destination
> > directory via the symlink, even if it doesn't have permission to access
> > the destination directory?
> >
>=20
> Why can't you chgroup and setgid the homedirs to www? (Or whatever
> account the web server is running under.) You really have two
> requirements:
>=20
> 1) Users can't see other users' files
> 2) The web server can read all users' web files
>=20
> So you chmod the homedirs to 750/640, and chgroup the dirs and files
> to www, then set the sticky bit for the group, and you're done. =20
According to the chgrp manual:=20
The user invoking chgrp must belong to the specified group and be the
owner of the file, or be the super-user.
So if a non-root user wanted to add a new file, he'd have to be in the
www group to chgrp! Which would give other users (who'd also have to be
in the www group) at least read access to these files. And possilby to
other files used by apache as well.
Now for these webpages giving other reads access shouldn't be that much of
a problem. Since these are webpages they are presumably _meant_ to be
read by others. But giving all the users access to files belonging to
apache, that might not be desirable?
The thing is that the user would need to know that they have to chown
and chmod any new file/dir they create in public_html. For the average
windows user that would probably be too much to ask for.
Roland
--=20
R.F.Smith http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
--qDbXVdCdHGoSgWSk
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (FreeBSD)
iEYEARECAAYFAkmTM+0ACgkQEnfvsMMhpyWfRQCeOd3Wt1/YRCz9TbGqS6bZQuTH
KrEAoJxsFqT2OsQjPAmmyml3JWs6VlZ8
=I1Zw
-----END PGP SIGNATURE-----
--qDbXVdCdHGoSgWSk--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090211202413.GA44294>