From owner-freebsd-questions@FreeBSD.ORG  Thu Feb 12 15:48:59 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8E077106566C
	for <freebsd-questions@freebsd.org>;
	Thu, 12 Feb 2009 15:48:59 +0000 (UTC) (envelope-from uwe@laverenz.de)
Received: from mo-p00-ob.rzone.de (mo-p00-ob.rzone.de [81.169.146.162])
	by mx1.freebsd.org (Postfix) with ESMTP id D1BDB8FC25
	for <freebsd-questions@freebsd.org>;
	Thu, 12 Feb 2009 15:48:58 +0000 (UTC) (envelope-from uwe@laverenz.de)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1234453737; l=754;
	s=domk; d=laverenz.de;
	h=Sender:In-Reply-To:Content-Type:Mime-Version:References:Subject:Cc:
	To:From:Date:X-RZG-CLASS-ID:X-RZG-AUTH:DomainKey-Signature;
	bh=jlcXTBIJzUE1fdJCBkQx7HDzAK3RxvfkJbE55yMeuJE=;
	b=U5458MKChka61YeUjq9Z9/0iMu2cR6l4hK1dNhI6WFka8Fp1icOxnWrxudrXzflOSc8
	hdQ1YE9EAhE3CyfHxksso7i78ThwbxbSeixVukucPf7v7IUNMNMIaQxwgBzoAOXqF1d0N
	IfiK0fQBqmtxv/6EGcw4R97r+o3SRLBKnPI=
DomainKey-Signature: a=rsa-sha256; s=domk; d=laverenz.de; c=nofws; q=dns;
	h=X-RZG-AUTH:X-RZG-CLASS-ID:Date:From:To:Cc:Subject:References:
	Mime-Version:Content-Type:In-Reply-To:Sender;
	b=Kp4XOefFSes2s+gfYv36MJY66lbSP7aU0gr88aKhptOjQIY73+j26T1/SoeZZ202cuI
	TM3Tccuqj92LnPBoN1OyBdlNOLrhWvasvdhJuVHIjeqJe00p9GLxDSo24uvUNGN5pXo7B
	LfsvriPwg6eHBS5YBMIJ92HxwpJoEngcCO0=
X-RZG-AUTH: :LWgJfE6Id/4Sm/WkdV0gEbKL+/p/UjmosA/b4BPf1Ida/LA6f2WjvdsA
X-RZG-CLASS-ID: mo00
Received: from athena.laverenz.de
	(77-22-194-90-dynip.superkabel.de [77.22.194.90])
	by post.strato.de (fruni mo22) (RZmta 18.18)
	with ESMTP id R00c09l1CFDnx5 ; Thu, 12 Feb 2009 16:48:57 +0100 (MET)
Received: from localhost (localhost.localdomain [127.0.0.1])
	by athena.laverenz.de (Postfix) with ESMTP id 470C5127BDC;
	Thu, 12 Feb 2009 16:45:41 +0100 (CET)
Received: from athena.laverenz.de ([127.0.0.1])
	by localhost (athena [127.0.0.1]) (amavisd-new, port 10024) with LMTP
	id 10074-01; Thu, 12 Feb 2009 16:45:40 +0100 (CET)
Received: by athena.laverenz.de (Postfix, from userid 2000)
	id A2A18127BF1; Thu, 12 Feb 2009 16:45:40 +0100 (CET)
Date: Thu, 12 Feb 2009 16:45:40 +0100
From: Uwe Laverenz <uwe@laverenz.de>
To: freebsd-questions@freebsd.org
Message-ID: <20090212154540.GC3324@laverenz.de>
Mail-Followup-To: freebsd-questions@freebsd.org,
	keith@academickeys.com
References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com>
	<20090211181843.GA41237@slackbox.xs4all.nl>
	<65534.12.68.55.226.1234377513.squirrel@www.academickeys.com>
	<F41F7727070FF48ED4A2BCB1@utd65257.utdallas.edu>
	<62055.12.68.55.226.1234449558.squirrel@www.academickeys.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <62055.12.68.55.226.1234449558.squirrel@www.academickeys.com>
Organization: private site
Sender: uwe@laverenz.de
User-Agent: Mutt/1.5.9i
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at laverenz.de
Cc: keith@academickeys.com
Subject: Re: Restricting users to their own home directories / not letting
	users view other users files...?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Feb 2009 15:48:59 -0000

On Thu, Feb 12, 2009 at 09:39:18AM -0500, Keith Palmer wrote:

> Thanks so much, this solution works really well! It doesn't lock users out
> of the entire system, but it does ensure that users can't view other
> user's files via SFTP/SSH, which is fantastic.

This solution enforces the switch of all user directories to group "www",
which also means that any member of the group www gets access to these
directories. This would be even more dangerous if your webserver runs
with gid www and contains a php-module or something similar with a long
tradition of security problems. Sorry, but you really, really should not
do it this way.

The sticky bit for group www on the public_html directories can be a good
idea, though.

bye,
Uwe