Date: Tue, 17 Feb 2009 10:25:29 +0000 From: Chris Rees <utisoft@googlemail.com> To: freebsd-questions@freebsd.org, keith@academickeys.com Subject: Re: Restricting users to their own home directories / not letting users view other users files...? Message-ID: <b79ecaef0902170225w7743ec68s2e30aa27f9c031be@mail.gmail.com> In-Reply-To: <b79ecaef0902170221w66dfdcc3g202250e43a0efb89@mail.gmail.com> References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <20090211181843.GA41237@slackbox.xs4all.nl> <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> <F41F7727070FF48ED4A2BCB1@utd65257.utdallas.edu> <62055.12.68.55.226.1234449558.squirrel@www.academickeys.com> <20090212154540.GC3324@laverenz.de> <b79ecaef0902170221w66dfdcc3g202250e43a0efb89@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
2009/2/17 Chris Rees <utisoft@googlemail.com>: > 2009/2/12 Uwe Laverenz <uwe@laverenz.de>: >> On Thu, Feb 12, 2009 at 09:39:18AM -0500, Keith Palmer wrote: >> >>> Thanks so much, this solution works really well! It doesn't lock users out >>> of the entire system, but it does ensure that users can't view other >>> user's files via SFTP/SSH, which is fantastic. >> >> This solution enforces the switch of all user directories to group "www", >> which also means that any member of the group www gets access to these >> directories. This would be even more dangerous if your webserver runs >> with gid www and contains a php-module or something similar with a long >> tradition of security problems. Sorry, but you really, really should not >> do it this way. >> >> The sticky bit for group www on the public_html directories can be a good >> idea, though. >> >> bye, >> Uwe >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >> > > Do you really mean sticky? Or do you mean sgid? Sgid directories are > unnecessary in BSD systems anyway. In the (one true UNIX) BSD Way, new > files in a directory are always of the group of the directory. > > Sticky is something completely different > http://www.gsp.com/cgi-bin/man.cgi?section=8&topic=sticky > > -- > R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. > (sendmail.cf) > Alright, let's go into a culture shock mode, and suggest a change in layout. [chris@amnesiac]~% ls -l /home/chris total 1712 drwx----- 6 chris chris 512 Dec 8 15:40 home/ drwxr-xr-x- 1 chris chris 1743 Nov 22 14:35 public_html/ And stick the contents of the home directory in home/ Only trouble is if you don't want dotfiles (.cshrc etc) visible, but you'll have to live with that. Or set the permissions 700. Be careful with dotfiles, don't forget .* matches .. too :( Chris -- R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. > (sendmail.cf)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b79ecaef0902170225w7743ec68s2e30aa27f9c031be>