Date: Thu, 12 Feb 2009 11:04:59 -0500 (EST) From: "Keith Palmer" <keith@academickeys.com> To: freebsd-questions@freebsd.org Subject: Re: Restricting users to their own home directories / not letting users view other users files...? Message-ID: <52934.12.68.55.226.1234454699.squirrel@www.academickeys.com> In-Reply-To: <20090212154540.GC3324@laverenz.de> References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <20090211181843.GA41237@slackbox.xs4all.nl> <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> <F41F7727070FF48ED4A2BCB1@utd65257.utdallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Your other proposed solution results in the same situation, correct? No matter what, Apache needs read-access to any and all files, so no matter what PHP will have access to read any user's files. There's no way around that for a shared hosting situation that I know of... If you remove the groups write privs, then PHP scripts can't really do an= y damage at least. Your solution doesn't work because the user "keith" could still do a "ls /home/shannon/public_html/" and get the directory listing (shannon's public_html directory is 0755, per your suggestion). Unless I'm missing something...? --=20 - Keith Palmer Keith@AcademicKeys.com http://www.AcademicKeys.com/ On Thu, February 12, 2009 10:45 am, Uwe Laverenz wrote: > On Thu, Feb 12, 2009 at 09:39:18AM -0500, Keith Palmer wrote: > >> Thanks so much, this solution works really well! It doesn't lock users >> out >> of the entire system, but it does ensure that users can't view other >> user's files via SFTP/SSH, which is fantastic. > > This solution enforces the switch of all user directories to group "www= ", > which also means that any member of the group www gets access to these > directories. This would be even more dangerous if your webserver runs > with gid www and contains a php-module or something similar with a long > tradition of security problems. Sorry, but you really, really should no= t > do it this way. > > The sticky bit for group www on the public_html directories can be a go= od > idea, though. > > bye, > Uwe >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52934.12.68.55.226.1234454699.squirrel>