Date: Thu, 12 Feb 2009 09:39:18 -0500 (EST) From: "Keith Palmer" <keith@academickeys.com> To: freebsd-questions@freebsd.org Subject: Re: Restricting users to their own home directories / not letting users view other users files...? Message-ID: <62055.12.68.55.226.1234449558.squirrel@www.academickeys.com> In-Reply-To: <F41F7727070FF48ED4A2BCB1@utd65257.utdallas.edu> References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <20090211181843.GA41237@slackbox.xs4all.nl> <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> <F41F7727070FF48ED4A2BCB1@utd65257.utdallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Paul,
Thanks so much, this solution works really well! It doesn't lock users ou=
t
of the entire system, but it does ensure that users can't view other
user's files via SFTP/SSH, which is fantastic.
The actual syntax for setting the setgid bit on directories is:
find /path/to/directory -type d -exec chmod g+s '{}' \;
Thanks!
--=20
- Keith Palmer
Keith@AcademicKeys.com
http://www.AcademicKeys.com/
On Wed, February 11, 2009 2:23 pm, Paul Schmehl wrote:
> --On Wednesday, February 11, 2009 12:38:33 -0600 Keith Palmer
> <keith@academickeys.com> wrote:
>
>>
>>
>> ... really? Write a script to copy the user's files over on a
>> schedule...?
>>
>> I can see where that might be an option for some people, but that's
>> entirely not an option in this case. I'd have to schedule it to run
>> every
>> 5 seconds or something to keep users from getting upset.
>>
>>
>> What if I symlinked each home user's public_html directory to a
>> directory
>> readable only by Apache? Would Apache be able to read the destination
>> directory via the symlink, even if it doesn't have permission to acces=
s
>> the destination directory?
>>
>
> Why can't you chgroup and setgid the homedirs to www? (Or whatever
> account the
> web server is running under.) You really have two requirements:
>
> 1) Users can't see other users' files
> 2) The web server can read all users' web files
>
> So you chmod the homedirs to 750/640, and chgroup the dirs and files to
> www,
> then set the sticky bit for the group, and you're done. Seems to me
> that's the
> simplest way to go about it. Setting the sticky bit ensures that any n=
ew
> files
> created by a user will have www as the group.
>
> So chown -R someuser:www /home/someuser
> find /home/someuser -type d exec "chmod 2750 {}" \;
> find /home/someuser -type f exec "chomd 2640 {}" \;
>
> (Might have my syntax on the find command messed up a bit. Make sure t=
o
> man
> that.)
>
> If your users have their webfiles in /home/someuser/public_html, then y=
ou
> only
> need to setgid that dir and its subdirs, no the user's homedir.
>
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> Check the headers before clicking on Reply.
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?62055.12.68.55.226.1234449558.squirrel>