From owner-freebsd-questions@FreeBSD.ORG Wed Feb 11 20:13:11 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8AA2C106566C for ; Wed, 11 Feb 2009 20:13:11 +0000 (UTC) (envelope-from dave.list@pixelhammer.com) Received: from smtp1.tls.net (smtp1.tls.net [65.124.104.104]) by mx1.freebsd.org (Postfix) with ESMTP id 46D5E8FC27 for ; Wed, 11 Feb 2009 20:13:11 +0000 (UTC) (envelope-from dave.list@pixelhammer.com) Received: (qmail 18698 invoked from network); 11 Feb 2009 20:13:10 -0000 Received: by simscan 1.2.3 ppid: 18686, pid: 18692, t: 5.4347s scanners: attach: 1.2.3 spam: 3.2.1 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on smtp1.tls.net X-Spam-Level: X-Spam-Status: No, score=0.2 required=10.0 tests=ALL_TRUSTED,TVD_RCVD_IP autolearn=disabled version=3.2.1 Received: from 64-184-8-45.bb.hrtc.net (HELO ?192.168.1.46?) (ldg@tls.net@64.184.8.45) by ssl-smtp1.tls.net with ESMTPA; 11 Feb 2009 20:13:04 -0000 Message-ID: <49933145.3000601@pixelhammer.com> Date: Wed, 11 Feb 2009 15:12:53 -0500 From: DAve User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: Keith Palmer References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> In-Reply-To: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Restricting users to their own home directories / not letting users view other users files...? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2009 20:13:11 -0000 Keith Palmer wrote: > OK, I'm sure this question has been asked a million times, but I havn't > been able to find a straight answer that actually solves the problem, so > here goes. > > We have a FreeBSD server with multiple users. I would rather each user > *not* be able to view other users' files via an SSH or SFTP session. i.e. > if I'm logged in as "keith" I should *not* get a list of files when I do > "ls /home/shannon" > > I realize I can fix this by setting the permissions on the "/home/shannon" > directory to 700. *However* then Apache (running as user "www") won't > display the documents in "/home/shannon/public_html" from > "http://ip-address/~shannon/", instead returning a "403 Forbidden" error. > > > Sooo... how can I set this up so that users can't view other user's files, > but Apache still works? > > I would prefer *not* to use jails, as it sounds like a lot of overhead and > complicated to set up... is there another way? > > I've looked at rbash, but it looks like it disables a whole bunch of other > stuff. My users still need a usable SSH shell. I've looked at rssh and > scponly, but they seem to disallow SSH shell access completely. > > > Thanks in advance! > Try /usr/ports/security/openssh You can chroot the user into their own home dir. Check out the ChrootDirectory sshd_config option. http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5 DAve -- The whole internet thing is sucking the life out of me, there ain't no pony in there.