Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 19 Feb 2010 09:05:47 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Programmer In Training <pit@joseph-a-nagy-jr.us>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: User Directories On FreeBSD 8.0-RELEASE
Message-ID:  <4B7E546B.8010005@infracaninophile.co.uk>
In-Reply-To: <4B7DB0A2.3080709@joseph-a-nagy-jr.us>
References:  <4B7D90BC.10901@joseph-a-nagy-jr.us>	<29d693b3235665696dd86c5c6b1438cf.squirrel@whipp.no-ip.org> <4B7DB0A2.3080709@joseph-a-nagy-jr.us>
next in thread | previous in thread | raw e-mail | index | archive | help 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 18/02/2010 21:26, Programmer In Training wrote:
> On 02/18/10 14:54, Craig Whipp wrote:
> <snip>
>> What are the permissions for your $HOME and $HOME/public_html?  The user
>> that apache is running as must be able read from these directories.
>>
>> - Craig
> 
> drwxr-xr-x  49 user1  user1  1536 Feb 18 14:31 user1/
> drwxr-xr-x  18 user1  user1   2560 Feb 14 09:25 public_html/
> 
> Possibly not the most secure permissions but I don't remember the
> default (I think it's 644).

Nope.  For directories it's 755.  You need the x permission on a
directory to chdir to it.

> Apache runs as user:group deamon:daemon

The default is www:www but I guess you know your own configuration.

> Trying to su in from root as daemon returns the following:
> 
> su - daemon
> This account is currently not available.

Yep.  That's because it (correctly) doesn't have a usable login shell.  Try:

   su -m daemon

> user and group do exist (quadruple verified).

Given that the ~user1/public_html directory has world-read permissions,
apache won't have any trouble reading the files.  So long as apache
doesn't have *write* permission on the directory, everything is prety
much hunky-dory security-wise.

If you're getting 403 permission denied errors trying to access
userdirs, then the problem lies within the apache configuration.
What you need to do is configure the permissions based on the home
directory path returned from getpwent() -- by default under FreeBSD
that's /home/user1/  Nevermind that much of the time /home is a symlink
to /usr/home -- it's the path returned from the passwd file that apache
uses for comparison, long before trying to resolve any symlinks and open
anything on the hard-drive.

Like this:

<Directory "/home/*/public_html">
    AllowOverride FileInfo AuthConfig Limit Indexes
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    <Limit GET POST OPTIONS>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Directory>

	Cheers,

	Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkt+VGsACgkQ8Mjk52CukIz/mQCfeQ4RKiu8R7VpkT0FbWp6J99R
iY0An2yOqdZz0fE21soYvslXB8K9kc2r
=KRGI
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B7E546B.8010005>