Date: Thu, 12 Feb 2009 12:13:58 -0500 (EST) From: "Keith Palmer" <keith@academickeys.com> To: freebsd-questions@freebsd.org Subject: Re: Restricting users to their own home directories / not letting users view other users files...? Message-ID: <64055.12.68.55.226.1234458838.squirrel@www.academickeys.com> In-Reply-To: <20090212164842.GD3324@laverenz.de> References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <20090211181843.GA41237@slackbox.xs4all.nl> <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> <F41F7727070FF48ED4A2BCB1@utd65257.utdallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Ahhh... well, that's a considerably more verbose solution than your first solution. The groups are not the default FreeBSD groups, as I thought you were using. I will definitely check that out, thanks! I looked into restricted shells and such, but I couldn't find any documentation or information on that sort of stuff... --=20 - Keith Palmer Keith@AcademicKeys.com http://www.AcademicKeys.com/ On Thu, February 12, 2009 11:48 am, Uwe Laverenz wrote: > On Thu, Feb 12, 2009 at 11:04:59AM -0500, Keith Palmer wrote: > >> Your other proposed solution results in the same situation, correct? N= o > > No, it doesn't. Let's assume shannon is in the login group users, her h= ome > directory would look like this: > > drwx-----x 2 shannon users 512 Feb 12 17:19 shannon > > This ensures that apache can enter /home/shannon which is necessary > because > that's where public_html is. It is not possible for apache to read the > contents > of /home/shannon because 'r' is missing. This would achieve the goal th= at > other > users including apache can not read the contents of the home dir. > > Ok, now apache needs read only access to public_html, so I would set > permissions > this way (2750 shannon:www): > > drwxr-s--- 2 shannon www 512 Feb 12 17:30 public_html > > All directories under public_html should also have these permissions, a= ll > files should have 0640 or 0644. This would achieve the goal that apache > can read everything it needs to but nothing more. > >> matter what, Apache needs read-access to any and all files, so no matt= er >> what PHP will have access to read any user's files. There's no way >> around >> that for a shared hosting situation that I know of... > > Sure there is: this way apache can not read any other files outside > public_html. > >> Your solution doesn't work because the user "keith" could still do a "= ls >> /home/shannon/public_html/" and get the directory listing (shannon's >> public_html directory is 0755, per your suggestion). Unless I'm missin= g >> something...? > > You don't have to set it to 0755. If you set it to 2750 keith can no > longer see the files in shannon/public_html as long as he isn't member > of group www. And even if their homedirs contain a folder that belongs > to group www, they don't have to be members of www themselves. > > I don't now your environment, but there other ways of getting things > more secure, such as the use of jails, restricting shell access or > forcing the use of a restricted shell and so on. > > bye, > Uwe >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?64055.12.68.55.226.1234458838.squirrel>