From owner-freebsd-questions@FreeBSD.ORG Thu Feb 12 16:05:01 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7FD311065674 for ; Thu, 12 Feb 2009 16:05:01 +0000 (UTC) (envelope-from keith@academickeys.com) Received: from afekan.academickeys.com (afekan.academickeys.com [24.248.88.153]) by mx1.freebsd.org (Postfix) with ESMTP id 4BF748FC1C for ; Thu, 12 Feb 2009 16:05:01 +0000 (UTC) (envelope-from keith@academickeys.com) Received: from localhost (unknown [127.0.0.1]) by afekan.academickeys.com (Postfix) with ESMTP id 7973F3250ED; Thu, 12 Feb 2009 11:05:00 -0500 (EST) X-Virus-Scanned: by amavisd-new-2.5.2 (20070627) (FreeBSD) at localhost Received: from afekan.academickeys.com ([127.0.0.1]) by localhost (afekan.academickeys.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FA1rzFwttSam; Thu, 12 Feb 2009 11:04:59 -0500 (EST) Received: from www.academickeys.com (localhost.offsitenow.net [127.0.0.1]) by afekan.academickeys.com (Postfix) with ESMTP id 79DC73250C3; Thu, 12 Feb 2009 11:04:59 -0500 (EST) Received: from 12.68.55.226 (SquirrelMail authenticated user keith@academickeys.com) by www.academickeys.com with HTTP; Thu, 12 Feb 2009 11:04:59 -0500 (EST) Message-ID: <52934.12.68.55.226.1234454699.squirrel@www.academickeys.com> In-Reply-To: <20090212154540.GC3324@laverenz.de> References: <53134.12.68.55.226.1234369337.squirrel@www.academickeys.com> <20090211181843.GA41237@slackbox.xs4all.nl> <65534.12.68.55.226.1234377513.squirrel@www.academickeys.com> Date: Thu, 12 Feb 2009 11:04:59 -0500 (EST) From: "Keith Palmer" To: freebsd-questions@freebsd.org User-Agent: SquirrelMail/1.4.9a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 X-Priority: 3 (Normal) Importance: Normal Content-Transfer-Encoding: quoted-printable Subject: Re: Restricting users to their own home directories / not letting users view other users files...? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2009 16:05:03 -0000 Your other proposed solution results in the same situation, correct? No matter what, Apache needs read-access to any and all files, so no matter what PHP will have access to read any user's files. There's no way around that for a shared hosting situation that I know of... If you remove the groups write privs, then PHP scripts can't really do an= y damage at least. Your solution doesn't work because the user "keith" could still do a "ls /home/shannon/public_html/" and get the directory listing (shannon's public_html directory is 0755, per your suggestion). Unless I'm missing something...? --=20 - Keith Palmer Keith@AcademicKeys.com http://www.AcademicKeys.com/ On Thu, February 12, 2009 10:45 am, Uwe Laverenz wrote: > On Thu, Feb 12, 2009 at 09:39:18AM -0500, Keith Palmer wrote: > >> Thanks so much, this solution works really well! It doesn't lock users >> out >> of the entire system, but it does ensure that users can't view other >> user's files via SFTP/SSH, which is fantastic. > > This solution enforces the switch of all user directories to group "www= ", > which also means that any member of the group www gets access to these > directories. This would be even more dangerous if your webserver runs > with gid www and contains a php-module or something similar with a long > tradition of security problems. Sorry, but you really, really should no= t > do it this way. > > The sticky bit for group www on the public_html directories can be a go= od > idea, though. > > bye, > Uwe >