Restricting users to their own home directories / not letting users view other users files...?

Roland Smith rsmith at xs4all.nl
Wed Feb 11 11:05:58 PST 2009 

On Wed, Feb 11, 2009 at 01:38:33PM -0500, Keith Palmer wrote:
> 
> ... really? Write a script to copy the user's files over on a schedule...?
> 
> I can see where that might be an option for some people, but that's
> entirely not an option in this case. I'd have to schedule it to run every
> 5 seconds or something to keep users from getting upset.

Cron has a granularity of one minute. Otherwise you can write a simple
script that calls rsync(1) every five seconds.

At my ISP I can upload my website to my home directory, and then I have
to execute a command to make my updates accessible from the outside. You
could do something like that as well.

> What if I symlinked each home user's public_html directory to a directory
> readable only by Apache? Would Apache be able to read the destination
> directory via the symlink, even if it doesn't have permission to access
> the destination directory?

Nope. You can't even make the symlink as a normal user:
($ = normal user, # = root)

$ ls -ld /var/heimdal
drwx------  2 root  wheel  512 Feb 11 19:45 /var/heimdal/

# fortune >/var/heimdal/foo

$ ls -s /var/heimdal/foo foo
ls: /var/heimdal/foo: Permission denied

You can make the link as root, but you still can't use it:

# ln -s /var/heimdal/foo foo
# ll foo
lrwxr-xr-x  1 root  rsmith  16 Feb 11 19:50 foo@ -> /var/heimdal/foo
 
$ cat foo 
cat: foo: Permission denied

> Is there really no better way to do this...?!?

- Try access control lists to give group WWW access (as mentioned).
- Let them upload via FTP (I think most HTML editors support this).
- Depending on the user's content you could make blogs of their sites?
  That way they can edit via the browser or their favorite blog posting
  software. 

Roland
-- 
R.F.Smith                                   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090211/5af21e5d/attachment.pgp

More information about the freebsd-questions mailing list