From owner-freebsd-questions@FreeBSD.ORG Thu Feb 12 01:07:49 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1FB8C106564A for ; Thu, 12 Feb 2009 01:07:49 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from smtp-vbr1.xs4all.nl (smtp-vbr1.xs4all.nl [194.109.24.21]) by mx1.freebsd.org (Postfix) with ESMTP id B6CDB8FC15 for ; Thu, 12 Feb 2009 01:07:47 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from slackbox.xs4all.nl (slackbox.xs4all.nl [213.84.242.160]) by smtp-vbr1.xs4all.nl (8.13.8/8.13.8) with ESMTP id n1C17gLb044486; Thu, 12 Feb 2009 02:07:43 +0100 (CET) (envelope-from rsmith@xs4all.nl) Received: by slackbox.xs4all.nl (Postfix, from userid 1001) id A608DB8E7; Thu, 12 Feb 2009 02:07:42 +0100 (CET) Date: Thu, 12 Feb 2009 02:07:42 +0100 From: Paul Schmehl To: Roland Smith , Paul Schmehl Message-ID: <20090212010742.GA51989@slackbox.xs4all.nl> References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <20090211181843.GA41237@slackbox.xs4all.nl> <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> <20090211202413.GA44294@slackbox.xs4all.nl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="AhhlLboLdkugWU4S" Content-Disposition: inline In-Reply-To: <20090211202413.GA44294@slackbox.xs4all.nl> X-Original-To: rsmith@localhost Received: from pops.xs4all.nl (localhost [127.0.0.1]) by slackbox.xs4all.nl (Postfix) with ESMTP id 57108BA7A for ; Thu, 12 Feb 2009 00:30:06 +0100 (CET) Received: from ip-relay-002.utdallas.edu (ip-relay-002.utdallas.edu [129.110.20.112]) by mxdrop137.xs4all.nl (8.13.8/8.13.8) with ESMTP id n1BNRjdj006310 for ; Thu, 12 Feb 2009 00:27:47 +0100 (CET) (envelope-from prvs=pauls=286b60c8c@utdallas.edu) X-Group: RELAYLIST X-IronPort-AV: E=Sophos;i="4.38,194,1233554400"; d="scan'208";a="6344976" Received: from smtp3.utdallas.edu ([129.110.20.110]) by ip-relay-002.utdallas.edu with ESMTP; 11 Feb 2009 17:27:44 -0600 Received: from utd65257.utdallas.edu (utd65257.utdallas.edu [129.110.3.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTPSA id 4B1298733; Wed, 11 Feb 2009 17:27:44 -0600 (CST) X-Mailer: Mulberry/4.0.6 (Linux/x86) X-XS4ALL-DNSBL-Checked: mxdrop137.xs4all.nl checked 129.110.20.112 against DNS blacklists X-CNFS-Analysis: v=1.0 c=1 a=cPIjfUGdfaIA:10 a=OZffzZ3BE-YA:10 a=k1RchF0jAAAA:8 a=2-WNuZ_tQd19llLtPz0A:9 a=_BSwCguS1PwagJbkv-QA:7 a=19ROHiQYHYSK4XF88FSgADmNvFwA:4 a=rPt6xJ-oxjAA:10 a=zCHD0xgTAAAA:8 a=pglSz3t6Jzk-yQ7SgGcA:9 a=Yzd9bABjo1o_s8J7bWzgpuLnMLUA:4 a=QKeXTQ4Y8D4A:10 X-Virus-Scanned: by XS4ALL Virus Scanner X-XS4ALL-Spam-Score: -0.0 () MIME_QP_LONG_LINE X-XS4ALL-Spam: NO Envelope-To: rsmith@xs4all.nl X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=1.1.7 User-Agent: Mutt/1.5.18 (2008-05-17) Cc: Keith Palmer , freebsd-questions@freebsd.org Subject: Re: Restricting users to their own home directories / not letting users view other users files...? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2009 01:07:49 -0000 --AhhlLboLdkugWU4S Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable --On Wednesday, February 11, 2009 14:24:13 -0600 Roland Smith=20 wrote: >> >> Why can't you chgroup and setgid the homedirs to www? (Or whatever >> account the web server is running under.) You really have two >> requirements: >> >> 1) Users can't see other users' files >> 2) The web server can read all users' web files >> >> So you chmod the homedirs to 750/640, and chgroup the dirs and files >> to www, then set the sticky bit for the group, and you're done. > > According to the chgrp manual: > > The user invoking chgrp must belong to the specified group and be the > owner of the file, or be the super-user. > Sorry if I wasn't clear. I wasn't suggesting that the *users* chgrp the files. Keith would do that = as=20 root. Then he sets the setgid bit to www (or whatever the web user is), an= d=20 =66rom that point going forward any files created by the user would be user= :www=20 instead of user:user. Set the umask to 027, and world has no readability. This is exactly how I used to handle some files on a webserver that I maint= ain=20 that other people needed to be able to edit, add and delete files from. On= ce=20 the sgid bit is set, the group membership of the files remains www no matte= r=20 what user creates/touches a file. Note that the first bit isn't usually referred to when discussing chmod. S= o=20 most people will say, for example, chmod directories 755. And if you type = '%=20 chmod 755 dir', that's what you'll get. To set the sgid bit, you need to t= ype=20 '% chmod 2755 dir'. See the man 1 chmod for details. My apologies for calling the sgid bit the "sticky" bit, since that's not=20 technically correct. I should have said "setgid" bit rather than "sticky g= roup=20 bit". --=20 Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --AhhlLboLdkugWU4S Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (FreeBSD) iEYEARECAAYFAkmTdl4ACgkQEnfvsMMhpyVaYwCfVqgj5ggewG3X2L8GnrfXNYTu GdAAmwVf3DVd1KL/PHOVd1Wj9ygUgH77 =gMrs -----END PGP SIGNATURE----- --AhhlLboLdkugWU4S--