From owner-freebsd-questions@FreeBSD.ORG Wed Feb 11 19:34:45 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D40D11065672 for ; Wed, 11 Feb 2009 19:34:45 +0000 (UTC) (envelope-from utisoft@googlemail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.28]) by mx1.freebsd.org (Postfix) with ESMTP id 894798FC26 for ; Wed, 11 Feb 2009 19:34:45 +0000 (UTC) (envelope-from utisoft@googlemail.com) Received: by yw-out-2324.google.com with SMTP id 2so215547ywt.13 for ; Wed, 11 Feb 2009 11:34:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:reply-to:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=EaSKKHWtU5kMUn5LKtapMiLNAmWM38++1qxI8jdLNCo=; b=T5fmqQuuWKblfJO3gJWdPU8mycc2AmHW96bJsXmcjF3G4K/i00xVI8NAZk4p2wc2M0 kXDJM1XcKiLQqGyRGXp/ZU9JntKq6vTZkUj4MfV/TuPMQB2KsmdjIPKPACZnDYfYBKSg kXzfbQU25UC+UaVcwMtT7Z2ehHoxx7fLs7YvU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; b=sbV5vVIeCjsJ5NkIxUn997uL8+WzWCVH/fPU68afY/LC7CF66gK0Vx/eGh+udZKOWh +312qXV5xmPEQVYtQer6eQw5SHpypLmN8RY2Y9cwd3Ad2dMsd4rZjobQGlSct162tkgP fHD5Neo10rzmueJkAwvPgrprMNIISbwwefjXo= MIME-Version: 1.0 Received: by 10.143.156.17 with SMTP id i17mr4404757wfo.88.1234380884414; Wed, 11 Feb 2009 11:34:44 -0800 (PST) In-Reply-To: References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <20090211181843.GA41237@slackbox.xs4all.nl> <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> Date: Wed, 11 Feb 2009 19:34:44 +0000 Message-ID: From: Chris Rees To: Paul Schmehl Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Restricting users to their own home directories / not letting users view other users files...? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: utisoft@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2009 19:34:46 -0000 2009/2/11 Paul Schmehl : > --On Wednesday, February 11, 2009 12:38:33 -0600 Keith Palmer > wrote: > >> >> >> ... really? Write a script to copy the user's files over on a schedule...? >> >> I can see where that might be an option for some people, but that's >> entirely not an option in this case. I'd have to schedule it to run every >> 5 seconds or something to keep users from getting upset. >> >> >> What if I symlinked each home user's public_html directory to a directory >> readable only by Apache? Would Apache be able to read the destination >> directory via the symlink, even if it doesn't have permission to access >> the destination directory? >> > > Why can't you chgroup and setgid the homedirs to www? (Or whatever account > the web server is running under.) You really have two requirements: > > 1) Users can't see other users' files > 2) The web server can read all users' web files > > So you chmod the homedirs to 750/640, and chgroup the dirs and files to www, > then set the sticky bit for the group, and you're done. Seems to me that's > the simplest way to go about it. Setting the sticky bit ensures that any > new files created by a user will have www as the group. Sticky doesn't... it's sgid you want. Sticky means that only the creator (owner) can use unlink on the file. Chris -- R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. > (sendmail.cf)