Restricting users to their own home directories / not letting users view other users files...?

Wed Feb 11 11:12:32 PST 2009

On Wednesday 11 February 2009 07:22:17 Keith Palmer wrote:
> OK, I'm sure this question has been asked a million times, but I havn't
> been able to find a straight answer that actually solves the problem, so
> here goes.
>
> We have a FreeBSD server with multiple users. I would rather each user
> *not* be able to view other users' files via an SSH or SFTP session. i.e.
> if I'm logged in as "keith" I should *not* get a list of files when I do
> "ls /home/shannon"
>
> I realize I can fix this by setting the permissions on the "/home/shannon"
> directory to 700. *However* then Apache (running as user "www") won't
> display the documents in "/home/shannon/public_html" from
> "http://ip-address/~shannon/", instead returning a "403 Forbidden" error.
>
>
> Sooo... how can I set this up so that users can't view other user's files,
> but Apache still works?

Your problem might be how they change the files, if via FTP, but...

- Move the public_html dirs
- chgrp www, chmod 640.
- symlink in the home dir

http://httpd.apache.org/docs/2.2/mod/mod_userdir.html#userdir

Example:
mkdir /var/userweb
for USERDIR in /home/*; do
	if test -d ${USERDIR}/public_html; then
		destdir=/var/userweb/${USERDIR##/home/}
		mkdir ${destdir}
		mv ${USERDIR}/public_html ${destdir}/
		ln -s ${destdir}/public_html ${USERDIR}/public_html
		chgrp -R www ${destdir}/public_html
		chmod -R u+w,g-w,o= ${destdir}/public_html
	fi
done

In httpd.conf:
UserDir /var/userweb/*/public_html

That said, I don't really understand your 'ls' paranoia. If you don't care 
about ls, you can set user's umask to 0027 and rechmod all files to 640. Have 
users in their own group and have */public_html group www. /home/username 
then has to have 755 in order for apache to get to public_html.

-- 
Mel

Problem with today's modular software: they start with the modules
    and never get to the software part.