From owner-freebsd-isp Mon Jul 30 11:38:17 2001 Delivered-To: freebsd-isp@freebsd.org Received: from pandora.worldonline.nl (pandora.worldonline.nl [195.241.48.140]) by hub.freebsd.org (Postfix) with ESMTP id 8BDBA37B401 for ; Mon, 30 Jul 2001 11:38:11 -0700 (PDT) (envelope-from eric@monkey-online.net) Received: from monkey-online.net (unknown [195.241.113.9]) by pandora.worldonline.nl (Postfix) with ESMTP id 5292436E00; Mon, 30 Jul 2001 20:38:03 +0200 (MET DST) Message-ID: <3B65AAD8.9FC2C323@monkey-online.net> Date: Mon, 30 Jul 2001 20:43:36 +0200 From: Eric Veraart X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Kal Torak , freebsd-isp@freebsd.org Subject: Re: Admin user in all groups References: <3B3A592A.6B3E69B3@monkey-online.net> <3B3AE229.7BE40E9F@quake.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If I use DefaultRoot ~ !wheel,admin and later on UserOwner admin the person who logs in into that dir can get out of his dir anyway. But if I only but wheel there as group it works correctly, because admin is in group wheel, but the dir is used by company. Kal Torak wrote: > > Eric Veraart wrote: > > > > And then make a script that chowns everything in all the website dirs to > > admin after a user has upoaded it's own HTML file? It is a possibility, > > but I think there must be an easier way. > > You will find with Proftpd you can specify the owner and group owner > of files in a given directory as well as the umask... > > It was also mentioned that you made all the users anonymous to get > the chroot feature, but you can specify that everyone get chrooted > when they login... > > In the basic server config I have a line saying > > DefaultRoot ~ !wheel > > Which means everyone gets chrooted to there home dir (~) except > people in group wheel... The list of exceptions is a comma separated > list, groups have a ! mark in front of them and users are just written > as normal... So you might have something like: > > DefaultRoot ~ !wheel,admin,someuser,anotheruser > > Then for the dirs of each web site put something like: > > > UserOwner admin > GroupOwner company > Umask 003 > > > That should solve your problems... > > The reason you cant follow a symlink is because the user has been > chrooted to a directory, so to them nothing below this exists, its > the root... Allowing someone to follow a symlink out of a chroot > would not only be a major security hole but would defeat the whole > purpose of a chroot... > > Good Luck! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message