From owner-freebsd-questions@FreeBSD.ORG Wed Feb 11 20:25:10 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 719C91065731 for ; Wed, 11 Feb 2009 20:25:10 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from smtp-vbr8.xs4all.nl (smtp-vbr8.xs4all.nl [194.109.24.28]) by mx1.freebsd.org (Postfix) with ESMTP id 042318FC22 for ; Wed, 11 Feb 2009 20:25:09 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from slackbox.xs4all.nl (slackbox.xs4all.nl [213.84.242.160]) by smtp-vbr8.xs4all.nl (8.13.8/8.13.8) with ESMTP id n1BKODER052254; Wed, 11 Feb 2009 21:24:18 +0100 (CET) (envelope-from rsmith@xs4all.nl) Received: by slackbox.xs4all.nl (Postfix, from userid 1001) id 81A3DBA97; Wed, 11 Feb 2009 21:24:13 +0100 (CET) Date: Wed, 11 Feb 2009 21:24:13 +0100 From: Roland Smith To: Paul Schmehl Message-ID: <20090211202413.GA44294@slackbox.xs4all.nl> References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <20090211181843.GA41237@slackbox.xs4all.nl> <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qDbXVdCdHGoSgWSk" Content-Disposition: inline In-Reply-To: X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.5.18 (2008-05-17) X-Virus-Scanned: by XS4ALL Virus Scanner Cc: Keith Palmer , freebsd-questions@freebsd.org Subject: Re: Restricting users to their own home directories / not letting users view other users files...? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2009 20:25:11 -0000 --qDbXVdCdHGoSgWSk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 11, 2009 at 01:23:23PM -0600, Paul Schmehl wrote: > --On Wednesday, February 11, 2009 12:38:33 -0600 Keith Palmer=20 > wrote: > > > ... really? Write a script to copy the user's files over on a schedule.= =2E.? > > > > I can see where that might be an option for some people, but that's > > entirely not an option in this case. I'd have to schedule it to run eve= ry > > 5 seconds or something to keep users from getting upset. > > > > > > What if I symlinked each home user's public_html directory to a directo= ry > > readable only by Apache? Would Apache be able to read the destination > > directory via the symlink, even if it doesn't have permission to access > > the destination directory? > > >=20 > Why can't you chgroup and setgid the homedirs to www? (Or whatever > account the web server is running under.) You really have two > requirements: >=20 > 1) Users can't see other users' files > 2) The web server can read all users' web files >=20 > So you chmod the homedirs to 750/640, and chgroup the dirs and files > to www, then set the sticky bit for the group, and you're done. =20 According to the chgrp manual:=20 The user invoking chgrp must belong to the specified group and be the owner of the file, or be the super-user. So if a non-root user wanted to add a new file, he'd have to be in the www group to chgrp! Which would give other users (who'd also have to be in the www group) at least read access to these files. And possilby to other files used by apache as well. Now for these webpages giving other reads access shouldn't be that much of a problem. Since these are webpages they are presumably _meant_ to be read by others. But giving all the users access to files belonging to apache, that might not be desirable? The thing is that the user would need to know that they have to chown and chmod any new file/dir they create in public_html. For the average windows user that would probably be too much to ask for. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --qDbXVdCdHGoSgWSk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (FreeBSD) iEYEARECAAYFAkmTM+0ACgkQEnfvsMMhpyWfRQCeOd3Wt1/YRCz9TbGqS6bZQuTH KrEAoJxsFqT2OsQjPAmmyml3JWs6VlZ8 =I1Zw -----END PGP SIGNATURE----- --qDbXVdCdHGoSgWSk--