Date: Wed, 11 Feb 2009 17:27:44 -0600 From: Paul Schmehl <pauls@utdallas.edu> To: Roland Smith <rsmith@xs4all.nl>, Paul Schmehl <pschmehl_lists@tx.rr.com> Cc: Keith Palmer <keith@academickeys.com>, freebsd-questions@freebsd.org Subject: Re: Restricting users to their own home directories / not letting users view other users files...? Message-ID: <46C1D7FE94F6D069164C2098@utd65257.utdallas.edu> In-Reply-To: <20090211202413.GA44294@slackbox.xs4all.nl> References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <20090211181843.GA41237@slackbox.xs4all.nl> <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> <F41F7727070FF48ED4A2BCB1@utd65257.utdallas.edu> <20090211202413.GA44294@slackbox.xs4all.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
--==========780A101F7ADC167DC255========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On Wednesday, February 11, 2009 14:24:13 -0600 Roland Smith=20 <rsmith@xs4all.nl> wrote: >> >> Why can't you chgroup and setgid the homedirs to www? (Or whatever >> account the web server is running under.) You really have two >> requirements: >> >> 1) Users can't see other users' files >> 2) The web server can read all users' web files >> >> So you chmod the homedirs to 750/640, and chgroup the dirs and files >> to www, then set the sticky bit for the group, and you're done. > > According to the chgrp manual: > > The user invoking chgrp must belong to the specified group and be the > owner of the file, or be the super-user. > Sorry if I wasn't clear. I wasn't suggesting that the *users* chgrp the files. Keith would do that as=20 root. Then he sets the setgid bit to www (or whatever the web user is), and=20 from that point going forward any files created by the user would be user:www=20 instead of user:user. Set the umask to 027, and world has no readability. This is exactly how I used to handle some files on a webserver that I maintain=20 that other people needed to be able to edit, add and delete files from. Once=20 the sgid bit is set, the group membership of the files remains www no matter=20 what user creates/touches a file. Note that the first bit isn't usually referred to when discussing chmod. So=20 most people will say, for example, chmod directories 755. And if you type '%=20 chmod 755 dir', that's what you'll get. To set the sgid bit, you need to type=20 '% chmod 2755 dir'. See the man 1 chmod for details. My apologies for calling the sgid bit the "sticky" bit, since that's not=20 technically correct. I should have said "setgid" bit rather than "sticky group = bit". --=20 Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========780A101F7ADC167DC255==========--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46C1D7FE94F6D069164C2098>