From owner-freebsd-questions@FreeBSD.ORG Thu Feb 12 17:14:00 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5299210657A6 for ; Thu, 12 Feb 2009 17:14:00 +0000 (UTC) (envelope-from keith@academickeys.com) Received: from afekan.academickeys.com (afekan.academickeys.com [24.248.88.153]) by mx1.freebsd.org (Postfix) with ESMTP id 0E9A08FC2A for ; Thu, 12 Feb 2009 17:13:59 +0000 (UTC) (envelope-from keith@academickeys.com) Received: from localhost (unknown [127.0.0.1]) by afekan.academickeys.com (Postfix) with ESMTP id 8F5F9325135; Thu, 12 Feb 2009 12:13:59 -0500 (EST) X-Virus-Scanned: by amavisd-new-2.5.2 (20070627) (FreeBSD) at localhost Received: from afekan.academickeys.com ([127.0.0.1]) by localhost (afekan.academickeys.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l+PWBSIxDYaW; Thu, 12 Feb 2009 12:13:58 -0500 (EST) Received: from www.academickeys.com (localhost.offsitenow.net [127.0.0.1]) by afekan.academickeys.com (Postfix) with ESMTP id B621632511B; Thu, 12 Feb 2009 12:13:58 -0500 (EST) Received: from 12.68.55.226 (SquirrelMail authenticated user keith@academickeys.com) by www.academickeys.com with HTTP; Thu, 12 Feb 2009 12:13:58 -0500 (EST) Message-ID: <64055.12.68.55.226.1234458838.squirrel@www.academickeys.com> In-Reply-To: <20090212164842.GD3324@laverenz.de> References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <20090211181843.GA41237@slackbox.xs4all.nl> <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> Date: Thu, 12 Feb 2009 12:13:58 -0500 (EST) From: "Keith Palmer" To: freebsd-questions@freebsd.org User-Agent: SquirrelMail/1.4.9a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 X-Priority: 3 (Normal) Importance: Normal Content-Transfer-Encoding: quoted-printable Subject: Re: Restricting users to their own home directories / not letting users view other users files...? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2009 17:14:02 -0000 Ahhh... well, that's a considerably more verbose solution than your first solution. The groups are not the default FreeBSD groups, as I thought you were using. I will definitely check that out, thanks! I looked into restricted shells and such, but I couldn't find any documentation or information on that sort of stuff... --=20 - Keith Palmer Keith@AcademicKeys.com http://www.AcademicKeys.com/ On Thu, February 12, 2009 11:48 am, Uwe Laverenz wrote: > On Thu, Feb 12, 2009 at 11:04:59AM -0500, Keith Palmer wrote: > >> Your other proposed solution results in the same situation, correct? N= o > > No, it doesn't. Let's assume shannon is in the login group users, her h= ome > directory would look like this: > > drwx-----x 2 shannon users 512 Feb 12 17:19 shannon > > This ensures that apache can enter /home/shannon which is necessary > because > that's where public_html is. It is not possible for apache to read the > contents > of /home/shannon because 'r' is missing. This would achieve the goal th= at > other > users including apache can not read the contents of the home dir. > > Ok, now apache needs read only access to public_html, so I would set > permissions > this way (2750 shannon:www): > > drwxr-s--- 2 shannon www 512 Feb 12 17:30 public_html > > All directories under public_html should also have these permissions, a= ll > files should have 0640 or 0644. This would achieve the goal that apache > can read everything it needs to but nothing more. > >> matter what, Apache needs read-access to any and all files, so no matt= er >> what PHP will have access to read any user's files. There's no way >> around >> that for a shared hosting situation that I know of... > > Sure there is: this way apache can not read any other files outside > public_html. > >> Your solution doesn't work because the user "keith" could still do a "= ls >> /home/shannon/public_html/" and get the directory listing (shannon's >> public_html directory is 0755, per your suggestion). Unless I'm missin= g >> something...? > > You don't have to set it to 0755. If you set it to 2750 keith can no > longer see the files in shannon/public_html as long as he isn't member > of group www. And even if their homedirs contain a folder that belongs > to group www, they don't have to be members of www themselves. > > I don't now your environment, but there other ways of getting things > more secure, such as the use of jails, restricting shell access or > forcing the use of a restricted shell and so on. > > bye, > Uwe >