Date: Fri, 13 Feb 2009 09:08:24 +0200 From: Jonathan McKeown <jonathan+freebsd-questions@hst.org.za> To: freebsd-questions@freebsd.org Subject: Re: Restricting users to their own home directories / not letting users view other users files...? Message-ID: <200902130908.24871.jonathan%2Bfreebsd-questions@hst.org.za> In-Reply-To: <BE0B52A92B1794E7697D8DA3@utd65257.utdallas.edu> References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <52934.12.68.55.226.1234454699.squirrel@www.academickeys.com> <BE0B52A92B1794E7697D8DA3@utd65257.utdallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 12 February 2009 19:15:21 Paul Schmehl wrote: > If you set the world readable bit, you break the entire schema. To make it > work, world must have no access - not even directory search access. So you > set u=rwx,g=srx,o-rwx (or 2750), for homedirs and u=rw,g=sr,o-rwx (or 2640) > for files. To maintain the schema you would also need to change the users' > umask to 027 or (script a perm change periodically to remove the world bits > from new files.) > > If you want to get more granular, you can set the homedirs and all subdirs > to owner:owner and only set the public_html dir and its subdirs to > owner:www. The key is to remove the world access from the homedirs and > everything under them, set the group to www, setgid and change the umask. setgid on the directory is a SysV-ism to switch on BSD behaviour. FreeBSD always sets group ownership of files to the group of the directory they're created in, so all you need to do is change the ownership of the directory and the umask. Jonathan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200902130908.24871.jonathan%2Bfreebsd-questions>