Restricting users to their own home directories / not letting
users view other users files...?
pauls at utdallas.edu
Wed Feb 11 17:07:49 PST 2009
--On Wednesday, February 11, 2009 14:24:13 -0600 Roland Smith
<rsmith at xs4all.nl> wrote:
>> Why can't you chgroup and setgid the homedirs to www? (Or whatever
>> account the web server is running under.) You really have two
>> 1) Users can't see other users' files
>> 2) The web server can read all users' web files
>> So you chmod the homedirs to 750/640, and chgroup the dirs and files
>> to www, then set the sticky bit for the group, and you're done.
> According to the chgrp manual:
> The user invoking chgrp must belong to the specified group and be the
> owner of the file, or be the super-user.
Sorry if I wasn't clear.
I wasn't suggesting that the *users* chgrp the files. Keith would do that as
root. Then he sets the setgid bit to www (or whatever the web user is), and
from that point going forward any files created by the user would be user:www
instead of user:user. Set the umask to 027, and world has no readability.
This is exactly how I used to handle some files on a webserver that I maintain
that other people needed to be able to edit, add and delete files from. Once
the sgid bit is set, the group membership of the files remains www no matter
what user creates/touches a file.
Note that the first bit isn't usually referred to when discussing chmod. So
most people will say, for example, chmod directories 755. And if you type '%
chmod 755 dir', that's what you'll get. To set the sgid bit, you need to type
'% chmod 2755 dir'. See the man 1 chmod for details.
My apologies for calling the sgid bit the "sticky" bit, since that's not
technically correct. I should have said "setgid" bit rather than "sticky group
Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090212/6458f134/attachment.pgp
More information about the freebsd-questions