From owner-freebsd-questions@FreeBSD.ORG Fri Feb 19 09:05:54 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 986461065679 for ; Fri, 19 Feb 2010 09:05:54 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 229188FC1C for ; Fri, 19 Feb 2010 09:05:53 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o1J95lvJ095201 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 19 Feb 2010 09:05:48 GMT (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <4B7E546B.8010005@infracaninophile.co.uk> Date: Fri, 19 Feb 2010 09:05:47 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 MIME-Version: 1.0 To: Programmer In Training References: <4B7D90BC.10901@joseph-a-nagy-jr.us> <29d693b3235665696dd86c5c6b1438cf.squirrel@whipp.no-ip.org> <4B7DB0A2.3080709@joseph-a-nagy-jr.us> In-Reply-To: <4B7DB0A2.3080709@joseph-a-nagy-jr.us> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.95.3 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL, SPF_FAIL autolearn=no version=3.3.0 X-Spam-Checker-Version: SpamAssassin 3.3.0 (2010-01-18) on happy-idiot-talk.infracaninophile.co.uk Cc: FreeBSD Questions Subject: Re: User Directories On FreeBSD 8.0-RELEASE X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Feb 2010 09:05:54 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 18/02/2010 21:26, Programmer In Training wrote: > On 02/18/10 14:54, Craig Whipp wrote: > >> What are the permissions for your $HOME and $HOME/public_html? The user >> that apache is running as must be able read from these directories. >> >> - Craig > > drwxr-xr-x 49 user1 user1 1536 Feb 18 14:31 user1/ > drwxr-xr-x 18 user1 user1 2560 Feb 14 09:25 public_html/ > > Possibly not the most secure permissions but I don't remember the > default (I think it's 644). Nope. For directories it's 755. You need the x permission on a directory to chdir to it. > Apache runs as user:group deamon:daemon The default is www:www but I guess you know your own configuration. > Trying to su in from root as daemon returns the following: > > su - daemon > This account is currently not available. Yep. That's because it (correctly) doesn't have a usable login shell. Try: su -m daemon > user and group do exist (quadruple verified). Given that the ~user1/public_html directory has world-read permissions, apache won't have any trouble reading the files. So long as apache doesn't have *write* permission on the directory, everything is prety much hunky-dory security-wise. If you're getting 403 permission denied errors trying to access userdirs, then the problem lies within the apache configuration. What you need to do is configure the permissions based on the home directory path returned from getpwent() -- by default under FreeBSD that's /home/user1/ Nevermind that much of the time /home is a symlink to /usr/home -- it's the path returned from the passwd file that apache uses for comparison, long before trying to resolve any symlinks and open anything on the hard-drive. Like this: AllowOverride FileInfo AuthConfig Limit Indexes Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Order allow,deny Allow from all Order deny,allow Deny from all Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkt+VGsACgkQ8Mjk52CukIz/mQCfeQ4RKiu8R7VpkT0FbWp6J99R iY0An2yOqdZz0fE21soYvslXB8K9kc2r =KRGI -----END PGP SIGNATURE-----