From owner-freebsd-questions@FreeBSD.ORG Wed Feb 11 22:23:52 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8915510657F6 for ; Wed, 11 Feb 2009 22:23:52 +0000 (UTC) (envelope-from rock_on_the_web@comcen.com.au) Received: from angel.comcen.com.au (angel.comcen.com.au [203.23.236.69]) by mx1.freebsd.org (Postfix) with ESMTP id 4CF488FC12 for ; Wed, 11 Feb 2009 22:23:52 +0000 (UTC) (envelope-from rock_on_the_web@comcen.com.au) Received: from [192.168.0.192] (unknown [202.172.126.254]) by angel.comcen.com.au (Postfix) with ESMTP id D13505C2EB62 for ; Thu, 12 Feb 2009 09:25:13 +1100 (EST) From: Da Rock To: freebsd-questions@freebsd.org In-Reply-To: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> Content-Type: text/plain Date: Thu, 12 Feb 2009 08:24:01 +1000 Message-Id: <1234391041.13067.33.camel@laptop1.herveybayaustralia.com.au> Mime-Version: 1.0 X-Mailer: Evolution 2.24.4 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: Re: Restricting users to their own home directories / not letting users view other users files...? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2009 22:23:53 -0000 On Wed, 2009-02-11 at 11:22 -0500, Keith Palmer wrote: > OK, I'm sure this question has been asked a million times, but I havn't > been able to find a straight answer that actually solves the problem, so > here goes. > > We have a FreeBSD server with multiple users. I would rather each user > *not* be able to view other users' files via an SSH or SFTP session. i.e. > if I'm logged in as "keith" I should *not* get a list of files when I do > "ls /home/shannon" > > I realize I can fix this by setting the permissions on the "/home/shannon" > directory to 700. *However* then Apache (running as user "www") won't > display the documents in "/home/shannon/public_html" from > "http://ip-address/~shannon/", instead returning a "403 Forbidden" error. > > > Sooo... how can I set this up so that users can't view other user's files, > but Apache still works? > > I would prefer *not* to use jails, as it sounds like a lot of overhead and > complicated to set up... is there another way? > > I've looked at rbash, but it looks like it disables a whole bunch of other > stuff. My users still need a usable SSH shell. I've looked at rssh and > scponly, but they seem to disallow SSH shell access completely. Wouldn't you use permissions where you have the user as owner and the apache group as group? Something like 750 :www