Date: Thu, 12 Feb 2009 02:07:42 +0100 From: Paul Schmehl <pauls@utdallas.edu> To: Roland Smith <rsmith@xs4all.nl>, Paul Schmehl <pschmehl_lists@tx.rr.com> Cc: Keith Palmer <keith@academickeys.com>, freebsd-questions@freebsd.org Subject: Re: Restricting users to their own home directories / not letting users view other users files...? Message-ID: <20090212010742.GA51989@slackbox.xs4all.nl> In-Reply-To: <20090211202413.GA44294@slackbox.xs4all.nl> References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <20090211181843.GA41237@slackbox.xs4all.nl> <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> <F41F7727070FF48ED4A2BCB1@utd65257.utdallas.edu> <20090211202413.GA44294@slackbox.xs4all.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
--AhhlLboLdkugWU4S Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable --On Wednesday, February 11, 2009 14:24:13 -0600 Roland Smith=20 <rsmith@xs4all.nl> wrote: >> >> Why can't you chgroup and setgid the homedirs to www? (Or whatever >> account the web server is running under.) You really have two >> requirements: >> >> 1) Users can't see other users' files >> 2) The web server can read all users' web files >> >> So you chmod the homedirs to 750/640, and chgroup the dirs and files >> to www, then set the sticky bit for the group, and you're done. > > According to the chgrp manual: > > The user invoking chgrp must belong to the specified group and be the > owner of the file, or be the super-user. > Sorry if I wasn't clear. I wasn't suggesting that the *users* chgrp the files. Keith would do that = as=20 root. Then he sets the setgid bit to www (or whatever the web user is), an= d=20 =66rom that point going forward any files created by the user would be user= :www=20 instead of user:user. Set the umask to 027, and world has no readability. This is exactly how I used to handle some files on a webserver that I maint= ain=20 that other people needed to be able to edit, add and delete files from. On= ce=20 the sgid bit is set, the group membership of the files remains www no matte= r=20 what user creates/touches a file. Note that the first bit isn't usually referred to when discussing chmod. S= o=20 most people will say, for example, chmod directories 755. And if you type = '%=20 chmod 755 dir', that's what you'll get. To set the sgid bit, you need to t= ype=20 '% chmod 2755 dir'. See the man 1 chmod for details. My apologies for calling the sgid bit the "sticky" bit, since that's not=20 technically correct. I should have said "setgid" bit rather than "sticky g= roup=20 bit". --=20 Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --AhhlLboLdkugWU4S Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (FreeBSD) iEYEARECAAYFAkmTdl4ACgkQEnfvsMMhpyVaYwCfVqgj5ggewG3X2L8GnrfXNYTu GdAAmwVf3DVd1KL/PHOVd1Wj9ygUgH77 =gMrs -----END PGP SIGNATURE----- --AhhlLboLdkugWU4S--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090212010742.GA51989>