From owner-freebsd-questions@FreeBSD.ORG Wed Feb 11 23:56:30 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0AD211065686 for ; Wed, 11 Feb 2009 23:56:30 +0000 (UTC) (envelope-from prvs=pauls=286b60c8c@utdallas.edu) Received: from ip-relay-002.utdallas.edu (ip-relay-002.utdallas.edu [129.110.20.112]) by mx1.freebsd.org (Postfix) with ESMTP id B4CB18FC3E for ; Wed, 11 Feb 2009 23:56:29 +0000 (UTC) (envelope-from prvs=pauls=286b60c8c@utdallas.edu) X-Group: RELAYLIST X-IronPort-AV: E=Sophos;i="4.38,194,1233554400"; d="scan'208";a="6344976" Received: from smtp3.utdallas.edu ([129.110.20.110]) by ip-relay-002.utdallas.edu with ESMTP; 11 Feb 2009 17:27:44 -0600 Received: from utd65257.utdallas.edu (utd65257.utdallas.edu [129.110.3.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTPSA id 4B1298733; Wed, 11 Feb 2009 17:27:44 -0600 (CST) Date: Wed, 11 Feb 2009 17:27:44 -0600 From: Paul Schmehl To: Roland Smith , Paul Schmehl Message-ID: <46C1D7FE94F6D069164C2098@utd65257.utdallas.edu> In-Reply-To: <20090211202413.GA44294@slackbox.xs4all.nl> References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <20090211181843.GA41237@slackbox.xs4all.nl> <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> <20090211202413.GA44294@slackbox.xs4all.nl> X-Mailer: Mulberry/4.0.6 (Linux/x86) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=sha1; protocol="application/pkcs7-signature"; boundary="==========780A101F7ADC167DC255==========" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Keith Palmer , freebsd-questions@freebsd.org Subject: Re: Restricting users to their own home directories / not letting users view other users files...? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2009 23:56:43 -0000 --==========780A101F7ADC167DC255========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On Wednesday, February 11, 2009 14:24:13 -0600 Roland Smith=20 wrote: >> >> Why can't you chgroup and setgid the homedirs to www? (Or whatever >> account the web server is running under.) You really have two >> requirements: >> >> 1) Users can't see other users' files >> 2) The web server can read all users' web files >> >> So you chmod the homedirs to 750/640, and chgroup the dirs and files >> to www, then set the sticky bit for the group, and you're done. > > According to the chgrp manual: > > The user invoking chgrp must belong to the specified group and be the > owner of the file, or be the super-user. > Sorry if I wasn't clear. I wasn't suggesting that the *users* chgrp the files. Keith would do that as=20 root. Then he sets the setgid bit to www (or whatever the web user is), and=20 from that point going forward any files created by the user would be user:www=20 instead of user:user. Set the umask to 027, and world has no readability. This is exactly how I used to handle some files on a webserver that I maintain=20 that other people needed to be able to edit, add and delete files from. Once=20 the sgid bit is set, the group membership of the files remains www no matter=20 what user creates/touches a file. Note that the first bit isn't usually referred to when discussing chmod. So=20 most people will say, for example, chmod directories 755. And if you type '%=20 chmod 755 dir', that's what you'll get. To set the sgid bit, you need to type=20 '% chmod 2755 dir'. See the man 1 chmod for details. My apologies for calling the sgid bit the "sticky" bit, since that's not=20 technically correct. I should have said "setgid" bit rather than "sticky group = bit". --=20 Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========780A101F7ADC167DC255==========--