From owner-freebsd-questions@FreeBSD.ORG Wed Feb 11 19:23:24 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BFA3B1065686 for ; Wed, 11 Feb 2009 19:23:24 +0000 (UTC) (envelope-from prvs=pschmehl_lists=286279307@tx.rr.com) Received: from ip-relay-002.utdallas.edu (ip-relay-002.utdallas.edu [129.110.20.112]) by mx1.freebsd.org (Postfix) with ESMTP id 8AEA98FC1E for ; Wed, 11 Feb 2009 19:23:24 +0000 (UTC) (envelope-from prvs=pschmehl_lists=286279307@tx.rr.com) X-Group: RELAYLIST X-IronPort-AV: E=Sophos;i="4.38,193,1233554400"; d="scan'208";a="6333076" Received: from smtp3.utdallas.edu ([129.110.20.110]) by ip-relay-002.utdallas.edu with ESMTP; 11 Feb 2009 13:23:23 -0600 Received: from utd65257.utdallas.edu (utd65257.utdallas.edu [129.110.3.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTPSA id BBB06852C; Wed, 11 Feb 2009 13:23:23 -0600 (CST) Date: Wed, 11 Feb 2009 13:23:23 -0600 From: Paul Schmehl To: Keith Palmer Message-ID: In-Reply-To: <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <20090211181843.GA41237@slackbox.xs4all.nl> <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> X-Mailer: Mulberry/4.0.6 (Linux/x86) X-Munged-Reply-To: Figure it out MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: freebsd-questions@freebsd.org Subject: Re: Restricting users to their own home directories / not letting users view other users files...? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Paul Schmehl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2009 19:23:25 -0000 --On Wednesday, February 11, 2009 12:38:33 -0600 Keith Palmer wrote: > > > ... really? Write a script to copy the user's files over on a schedule...? > > I can see where that might be an option for some people, but that's > entirely not an option in this case. I'd have to schedule it to run every > 5 seconds or something to keep users from getting upset. > > > What if I symlinked each home user's public_html directory to a directory > readable only by Apache? Would Apache be able to read the destination > directory via the symlink, even if it doesn't have permission to access > the destination directory? > Why can't you chgroup and setgid the homedirs to www? (Or whatever account the web server is running under.) You really have two requirements: 1) Users can't see other users' files 2) The web server can read all users' web files So you chmod the homedirs to 750/640, and chgroup the dirs and files to www, then set the sticky bit for the group, and you're done. Seems to me that's the simplest way to go about it. Setting the sticky bit ensures that any new files created by a user will have www as the group. So chown -R someuser:www /home/someuser find /home/someuser -type d exec "chmod 2750 {}" \; find /home/someuser -type f exec "chomd 2640 {}" \; (Might have my syntax on the find command messed up a bit. Make sure to man that.) If your users have their webfiles in /home/someuser/public_html, then you only need to setgid that dir and its subdirs, no the user's homedir. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* Check the headers before clicking on Reply.