Date: Wed, 11 Feb 2009 13:38:33 -0500 (EST) From: "Keith Palmer" <keith@academickeys.com> To: "Roland Smith" <rsmith@xs4all.nl> Cc: Keith Palmer <keith@academickeys.com>, freebsd-questions@freebsd.org Subject: Re: Restricting users to their own home directories / not letting users view other users files...? Message-ID: <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> In-Reply-To: <20090211181843.GA41237@slackbox.xs4all.nl> References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <20090211181843.GA41237@slackbox.xs4all.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
... really? Write a script to copy the user's files over on a schedule...= ? I can see where that might be an option for some people, but that's entirely not an option in this case. I'd have to schedule it to run every 5 seconds or something to keep users from getting upset. What if I symlinked each home user's public_html directory to a directory readable only by Apache? Would Apache be able to read the destination directory via the symlink, even if it doesn't have permission to access the destination directory? Is there really no better way to do this...?!? --=20 - Keith Palmer Keith@AcademicKeys.com http://www.AcademicKeys.com/ On Wed, February 11, 2009 1:18 pm, Roland Smith wrote: > On Wed, Feb 11, 2009 at 11:22:17AM -0500, Keith Palmer wrote: >> >> OK, I'm sure this question has been asked a million times, but I havn'= t >> been able to find a straight answer that actually solves the problem, = so >> here goes. >> >> We have a FreeBSD server with multiple users. I would rather each user >> *not* be able to view other users' files via an SSH or SFTP session. >> i.e. >> if I'm logged in as "keith" I should *not* get a list of files when I = do >> "ls /home/shannon" >> >> I realize I can fix this by setting the permissions on the >> "/home/shannon" >> directory to 700. *However* then Apache (running as user "www") won't >> display the documents in "/home/shannon/public_html" from >> "http://ip-address/~shannon/", instead returning a "403 Forbidden" >> error. >> >> Sooo... how can I set this up so that users can't view other user's >> files, >> but Apache still works? > > Chmod the homedirs to 700. And write a script that copies the user's > html files/directories (if they have changed) to a location where apach= e > can access them. Run this script as a cronjob for root. > > Alternatively, maybe you could use ACLs to grant group www access of th= e > home directories. See setfacl(1). [I've never had the need to try this, > so I'm not sure]. > > Roland > -- > R.F.Smith http://www.xs4all.nl/~rsmit= h/ > [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciate= d] > pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A72= 5) >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?65534.12.68.55.226.1234377513.squirrel>