From owner-freebsd-questions@FreeBSD.ORG Thu Feb 12 14:39:20 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C9C9810656F7 for ; Thu, 12 Feb 2009 14:39:20 +0000 (UTC) (envelope-from keith@academickeys.com) Received: from afekan.academickeys.com (afekan.academickeys.com [24.248.88.153]) by mx1.freebsd.org (Postfix) with ESMTP id 835228FC29 for ; Thu, 12 Feb 2009 14:39:20 +0000 (UTC) (envelope-from keith@academickeys.com) Received: from localhost (unknown [127.0.0.1]) by afekan.academickeys.com (Postfix) with ESMTP id A0C4F32512C; Thu, 12 Feb 2009 09:39:19 -0500 (EST) X-Virus-Scanned: by amavisd-new-2.5.2 (20070627) (FreeBSD) at localhost Received: from afekan.academickeys.com ([127.0.0.1]) by localhost (afekan.academickeys.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2dotUPgP6sZk; Thu, 12 Feb 2009 09:39:18 -0500 (EST) Received: from www.academickeys.com (localhost.offsitenow.net [127.0.0.1]) by afekan.academickeys.com (Postfix) with ESMTP id CCB323250F3; Thu, 12 Feb 2009 09:39:18 -0500 (EST) Received: from 12.68.55.226 (SquirrelMail authenticated user keith@academickeys.com) by www.academickeys.com with HTTP; Thu, 12 Feb 2009 09:39:18 -0500 (EST) Message-ID: <62055.12.68.55.226.1234449558.squirrel@www.academickeys.com> In-Reply-To: References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <20090211181843.GA41237@slackbox.xs4all.nl> <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> Date: Thu, 12 Feb 2009 09:39:18 -0500 (EST) From: "Keith Palmer" To: freebsd-questions@freebsd.org User-Agent: SquirrelMail/1.4.9a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 X-Priority: 3 (Normal) Importance: Normal Content-Transfer-Encoding: quoted-printable Subject: Re: Restricting users to their own home directories / not letting users view other users files...? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2009 14:39:21 -0000 Paul, Thanks so much, this solution works really well! It doesn't lock users ou= t of the entire system, but it does ensure that users can't view other user's files via SFTP/SSH, which is fantastic. The actual syntax for setting the setgid bit on directories is: find /path/to/directory -type d -exec chmod g+s '{}' \; Thanks! --=20 - Keith Palmer Keith@AcademicKeys.com http://www.AcademicKeys.com/ On Wed, February 11, 2009 2:23 pm, Paul Schmehl wrote: > --On Wednesday, February 11, 2009 12:38:33 -0600 Keith Palmer > wrote: > >> >> >> ... really? Write a script to copy the user's files over on a >> schedule...? >> >> I can see where that might be an option for some people, but that's >> entirely not an option in this case. I'd have to schedule it to run >> every >> 5 seconds or something to keep users from getting upset. >> >> >> What if I symlinked each home user's public_html directory to a >> directory >> readable only by Apache? Would Apache be able to read the destination >> directory via the symlink, even if it doesn't have permission to acces= s >> the destination directory? >> > > Why can't you chgroup and setgid the homedirs to www? (Or whatever > account the > web server is running under.) You really have two requirements: > > 1) Users can't see other users' files > 2) The web server can read all users' web files > > So you chmod the homedirs to 750/640, and chgroup the dirs and files to > www, > then set the sticky bit for the group, and you're done. Seems to me > that's the > simplest way to go about it. Setting the sticky bit ensures that any n= ew > files > created by a user will have www as the group. > > So chown -R someuser:www /home/someuser > find /home/someuser -type d exec "chmod 2750 {}" \; > find /home/someuser -type f exec "chomd 2640 {}" \; > > (Might have my syntax on the find command messed up a bit. Make sure t= o > man > that.) > > If your users have their webfiles in /home/someuser/public_html, then y= ou > only > need to setgid that dir and its subdirs, no the user's homedir. > > -- > Paul Schmehl, Senior Infosec Analyst > As if it wasn't already obvious, my opinions > are my own and not those of my employer. > ******************************************* > Check the headers before clicking on Reply. > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >