From owner-freebsd-questions@FreeBSD.ORG Thu Feb 12 16:52:01 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E621B1065695 for ; Thu, 12 Feb 2009 16:52:01 +0000 (UTC) (envelope-from uwe@laverenz.de) Received: from mo-p00-ob.rzone.de (mo-p00-ob.rzone.de [81.169.146.160]) by mx1.freebsd.org (Postfix) with ESMTP id 9496B8FC1F for ; Thu, 12 Feb 2009 16:52:00 +0000 (UTC) (envelope-from uwe@laverenz.de) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1234457519; l=2010; s=domk; d=laverenz.de; h=Sender:In-Reply-To:Content-Type:Mime-Version:References:Subject:Cc: To:From:Date:X-RZG-CLASS-ID:X-RZG-AUTH:DomainKey-Signature; bh=v+FPtaSLwKc4Bq59tGVLiW3acqYfrgFBdWaD9K0khtQ=; b=QRZrGyAkfJZ5DQBKEgI8iLOF6f/4tIkpBUCjtfjSxS/H0KsW3NuyNPpOj3e+BVnK32Z sKbXbiIWYmuDnPBWHE/dkom3PrQ6Vdi8bowMmRDCphFP6TJmD0/TNR5z0BMueRRfY28oa p7vVbAGGgLt2Mee0H4bCZfSWaB7k3FFq2eE= DomainKey-Signature: a=rsa-sha256; s=domk; d=laverenz.de; c=nofws; q=dns; h=X-RZG-AUTH:X-RZG-CLASS-ID:Date:From:To:Cc:Subject:References: Mime-Version:Content-Type:In-Reply-To:Sender; b=VXdgIYX76tHK4Rw07D0v80C6px3MGKVnZSSYxFXNRH7IUHRSlIXl+iOi0ucR83kEFrr G8JkLJ4bNiRTQHLhCX3eEdWY8e9yfBcDyscwxBrtXEjDMcHsWcP27SKJOcGn0W0y11uRA GQMiNJLdHHMd7jghyVAA9dYqOwF64+lspXQ= X-RZG-AUTH: :LWgJfE6Id/4Sm/WkdV0gEbKL+/p/UjmosA/b4BPf1Ida/LA6f2WjvdsA X-RZG-CLASS-ID: mo00 Received: from athena.laverenz.de (77-22-194-90-dynip.superkabel.de [77.22.194.90]) by post.strato.de (mrclete mo28) (RZmta 18.18) with ESMTP id 301fdel1CFoqB6 ; Thu, 12 Feb 2009 17:51:59 +0100 (MET) Received: from localhost (localhost.localdomain [127.0.0.1]) by athena.laverenz.de (Postfix) with ESMTP id 97E35127BDC; Thu, 12 Feb 2009 17:48:42 +0100 (CET) Received: from athena.laverenz.de ([127.0.0.1]) by localhost (athena [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 11431-01; Thu, 12 Feb 2009 17:48:42 +0100 (CET) Received: by athena.laverenz.de (Postfix, from userid 2000) id 21F5A127BF1; Thu, 12 Feb 2009 17:48:42 +0100 (CET) Date: Thu, 12 Feb 2009 17:48:42 +0100 From: Uwe Laverenz To: Keith Palmer Message-ID: <20090212164842.GD3324@laverenz.de> Mail-Followup-To: Keith Palmer , freebsd-questions@freebsd.org References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <20090211181843.GA41237@slackbox.xs4all.nl> <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> <52934.12.68.55.226.1234454699.squirrel@www.academickeys.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <52934.12.68.55.226.1234454699.squirrel@www.academickeys.com> Organization: private site Sender: uwe@laverenz.de User-Agent: Mutt/1.5.9i X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at laverenz.de Cc: freebsd-questions@freebsd.org Subject: Re: Restricting users to their own home directories / not letting users view other users files...? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2009 16:52:04 -0000 On Thu, Feb 12, 2009 at 11:04:59AM -0500, Keith Palmer wrote: > Your other proposed solution results in the same situation, correct? No No, it doesn't. Let's assume shannon is in the login group users, her home directory would look like this: drwx-----x 2 shannon users 512 Feb 12 17:19 shannon This ensures that apache can enter /home/shannon which is necessary because that's where public_html is. It is not possible for apache to read the contents of /home/shannon because 'r' is missing. This would achieve the goal that other users including apache can not read the contents of the home dir. Ok, now apache needs read only access to public_html, so I would set permissions this way (2750 shannon:www): drwxr-s--- 2 shannon www 512 Feb 12 17:30 public_html All directories under public_html should also have these permissions, all files should have 0640 or 0644. This would achieve the goal that apache can read everything it needs to but nothing more. > matter what, Apache needs read-access to any and all files, so no matter > what PHP will have access to read any user's files. There's no way around > that for a shared hosting situation that I know of... Sure there is: this way apache can not read any other files outside public_html. > Your solution doesn't work because the user "keith" could still do a "ls > /home/shannon/public_html/" and get the directory listing (shannon's > public_html directory is 0755, per your suggestion). Unless I'm missing > something...? You don't have to set it to 0755. If you set it to 2750 keith can no longer see the files in shannon/public_html as long as he isn't member of group www. And even if their homedirs contain a folder that belongs to group www, they don't have to be members of www themselves. I don't now your environment, but there other ways of getting things more secure, such as the use of jails, restricting shell access or forcing the use of a restricted shell and so on. bye, Uwe