Restricting users to their own home directories / not letting
users view other users files...?
uwe at laverenz.de
Thu Feb 12 08:52:04 PST 2009
On Thu, Feb 12, 2009 at 11:04:59AM -0500, Keith Palmer wrote:
> Your other proposed solution results in the same situation, correct? No
No, it doesn't. Let's assume shannon is in the login group users, her home
directory would look like this:
drwx-----x 2 shannon users 512 Feb 12 17:19 shannon
This ensures that apache can enter /home/shannon which is necessary because
that's where public_html is. It is not possible for apache to read the contents
of /home/shannon because 'r' is missing. This would achieve the goal that other
users including apache can not read the contents of the home dir.
Ok, now apache needs read only access to public_html, so I would set permissions
this way (2750 shannon:www):
drwxr-s--- 2 shannon www 512 Feb 12 17:30 public_html
All directories under public_html should also have these permissions, all
files should have 0640 or 0644. This would achieve the goal that apache
can read everything it needs to but nothing more.
> matter what, Apache needs read-access to any and all files, so no matter
> what PHP will have access to read any user's files. There's no way around
> that for a shared hosting situation that I know of...
Sure there is: this way apache can not read any other files outside
> Your solution doesn't work because the user "keith" could still do a "ls
> /home/shannon/public_html/" and get the directory listing (shannon's
> public_html directory is 0755, per your suggestion). Unless I'm missing
You don't have to set it to 0755. If you set it to 2750 keith can no
longer see the files in shannon/public_html as long as he isn't member
of group www. And even if their homedirs contain a folder that belongs
to group www, they don't have to be members of www themselves.
I don't now your environment, but there other ways of getting things
more secure, such as the use of jails, restricting shell access or
forcing the use of a restricted shell and so on.
More information about the freebsd-questions