Date: Wed, 11 Feb 2009 17:27:44 -0600 From: Paul Schmehl <pauls@utdallas.edu> To: Roland Smith <rsmith@xs4all.nl>, Paul Schmehl <pschmehl_lists@tx.rr.com> Cc: Keith Palmer <keith@academickeys.com>, freebsd-questions@freebsd.org Subject: Re: Restricting users to their own home directories / not letting users view other users files...? Message-ID: <46C1D7FE94F6D069164C2098@utd65257.utdallas.edu> In-Reply-To: <20090211202413.GA44294@slackbox.xs4all.nl> References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <20090211181843.GA41237@slackbox.xs4all.nl> <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> <F41F7727070FF48ED4A2BCB1@utd65257.utdallas.edu> <20090211202413.GA44294@slackbox.xs4all.nl>
index | next in thread | previous in thread | raw e-mail
--On Wednesday, February 11, 2009 14:24:13 -0600 Roland Smith <rsmith@xs4all.nl> wrote: >> >> Why can't you chgroup and setgid the homedirs to www? (Or whatever >> account the web server is running under.) You really have two >> requirements: >> >> 1) Users can't see other users' files >> 2) The web server can read all users' web files >> >> So you chmod the homedirs to 750/640, and chgroup the dirs and files >> to www, then set the sticky bit for the group, and you're done. > > According to the chgrp manual: > > The user invoking chgrp must belong to the specified group and be the > owner of the file, or be the super-user. > Sorry if I wasn't clear. I wasn't suggesting that the *users* chgrp the files. Keith would do that as root. Then he sets the setgid bit to www (or whatever the web user is), and from that point going forward any files created by the user would be user:www instead of user:user. Set the umask to 027, and world has no readability. This is exactly how I used to handle some files on a webserver that I maintain that other people needed to be able to edit, add and delete files from. Once the sgid bit is set, the group membership of the files remains www no matter what user creates/touches a file. Note that the first bit isn't usually referred to when discussing chmod. So most people will say, for example, chmod directories 755. And if you type '% chmod 755 dir', that's what you'll get. To set the sgid bit, you need to type '% chmod 2755 dir'. See the man 1 chmod for details. My apologies for calling the sgid bit the "sticky" bit, since that's not technically correct. I should have said "setgid" bit rather than "sticky group bit". -- Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46C1D7FE94F6D069164C2098>