Date: Mon, 30 Jul 2001 20:43:36 +0200 From: Eric Veraart <eric@monkey-online.net> To: Kal Torak <kaltorak@quake.com.au>, freebsd-isp@freebsd.org Subject: Re: Admin user in all groups Message-ID: <3B65AAD8.9FC2C323@monkey-online.net> References: <Pine.BSF.4.33.0106280755290.97849-100000@guru.citec.qld.gov.au> <3B3A592A.6B3E69B3@monkey-online.net> <3B3AE229.7BE40E9F@quake.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
If I use DefaultRoot ~ !wheel,admin and later on UserOwner admin the person who logs in into that dir can get out of his dir anyway. But if I only but wheel there as group it works correctly, because admin is in group wheel, but the dir is used by company. Kal Torak wrote: > > Eric Veraart wrote: > > > > And then make a script that chowns everything in all the website dirs to > > admin after a user has upoaded it's own HTML file? It is a possibility, > > but I think there must be an easier way. > > You will find with Proftpd you can specify the owner and group owner > of files in a given directory as well as the umask... > > It was also mentioned that you made all the users anonymous to get > the chroot feature, but you can specify that everyone get chrooted > when they login... > > In the basic server config I have a line saying > > DefaultRoot ~ !wheel > > Which means everyone gets chrooted to there home dir (~) except > people in group wheel... The list of exceptions is a comma separated > list, groups have a ! mark in front of them and users are just written > as normal... So you might have something like: > > DefaultRoot ~ !wheel,admin,someuser,anotheruser > > Then for the dirs of each web site put something like: > > <Directory /hosted/company> > UserOwner admin > GroupOwner company > Umask 003 > </Directory> > > That should solve your problems... > > The reason you cant follow a symlink is because the user has been > chrooted to a directory, so to them nothing below this exists, its > the root... Allowing someone to follow a symlink out of a chroot > would not only be a major security hole but would defeat the whole > purpose of a chroot... > > Good Luck! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B65AAD8.9FC2C323>