From owner-freebsd-questions@FreeBSD.ORG Tue Feb 17 10:25:30 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8FD4510656BC for ; Tue, 17 Feb 2009 10:25:30 +0000 (UTC) (envelope-from utisoft@googlemail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.171]) by mx1.freebsd.org (Postfix) with ESMTP id 5CE618FC2C for ; Tue, 17 Feb 2009 10:25:30 +0000 (UTC) (envelope-from utisoft@googlemail.com) Received: by wf-out-1314.google.com with SMTP id 27so2635901wfd.7 for ; Tue, 17 Feb 2009 02:25:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:reply-to:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=qCPPDSxa+SzC2KnlxmGLgzWbIfaLbqmw6RKWyqDGthc=; b=SDf6jhWhVCE7kqnGoQcXNZSvBWC9MyMIyoQxuIR7HKK7hmlXw6mP0hi2I7gIo8eEkI YLksHNUASnk18Cu9xqIWq40xqq9BgnxbBZRIiqiJ/G6XkE+jYz5ZjNUq29aqBjdCcp5W VgEUNTHlzso2dqHzn+LMdzlfFRJao3QJr7ULo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:content-type:content-transfer-encoding; b=QXvVSGEqyCOtYoRdTSe9+3ZDsKpJj4TbN7cpaHw2iu+RJEl5kwTTRTSjXM+31LHxX9 xhqmNasyF17yDDSK5OAyLh0nUhDAcI2VeyA90fD0kxIpE6FATd23r8U3GhuqFaIwsrZi Lfe+XSSQ1xQ8Tcv/56YFJ+tkV/iQNBcvEO7Q4= MIME-Version: 1.0 Received: by 10.142.155.17 with SMTP id c17mr2669913wfe.115.1234866330038; Tue, 17 Feb 2009 02:25:30 -0800 (PST) In-Reply-To: References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <20090211181843.GA41237@slackbox.xs4all.nl> <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> <62055.12.68.55.226.1234449558.squirrel@www.academickeys.com> <20090212154540.GC3324@laverenz.de> Date: Tue, 17 Feb 2009 10:25:29 +0000 Message-ID: From: Chris Rees To: freebsd-questions@freebsd.org, keith@academickeys.com Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: Re: Restricting users to their own home directories / not letting users view other users files...? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: utisoft@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Feb 2009 10:25:31 -0000 2009/2/17 Chris Rees : > 2009/2/12 Uwe Laverenz : >> On Thu, Feb 12, 2009 at 09:39:18AM -0500, Keith Palmer wrote: >> >>> Thanks so much, this solution works really well! It doesn't lock users out >>> of the entire system, but it does ensure that users can't view other >>> user's files via SFTP/SSH, which is fantastic. >> >> This solution enforces the switch of all user directories to group "www", >> which also means that any member of the group www gets access to these >> directories. This would be even more dangerous if your webserver runs >> with gid www and contains a php-module or something similar with a long >> tradition of security problems. Sorry, but you really, really should not >> do it this way. >> >> The sticky bit for group www on the public_html directories can be a good >> idea, though. >> >> bye, >> Uwe >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >> > > Do you really mean sticky? Or do you mean sgid? Sgid directories are > unnecessary in BSD systems anyway. In the (one true UNIX) BSD Way, new > files in a directory are always of the group of the directory. > > Sticky is something completely different > http://www.gsp.com/cgi-bin/man.cgi?section=8&topic=sticky > > -- > R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. > (sendmail.cf) > Alright, let's go into a culture shock mode, and suggest a change in layout. [chris@amnesiac]~% ls -l /home/chris total 1712 drwx----- 6 chris chris 512 Dec 8 15:40 home/ drwxr-xr-x- 1 chris chris 1743 Nov 22 14:35 public_html/ And stick the contents of the home directory in home/ Only trouble is if you don't want dotfiles (.cshrc etc) visible, but you'll have to live with that. Or set the permissions 700. Be careful with dotfiles, don't forget .* matches .. too :( Chris -- R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. > (sendmail.cf)