Restricting users to their own home directories / not letting
users view other users files...?
Chris Rees
utisoft at googlemail.com
Wed Feb 11 11:34:46 PST 2009
2009/2/11 Paul Schmehl <pschmehl_lists at tx.rr.com>:
> --On Wednesday, February 11, 2009 12:38:33 -0600 Keith Palmer
> <keith at academickeys.com> wrote:
>
>>
>>
>> ... really? Write a script to copy the user's files over on a schedule...?
>>
>> I can see where that might be an option for some people, but that's
>> entirely not an option in this case. I'd have to schedule it to run every
>> 5 seconds or something to keep users from getting upset.
>>
>>
>> What if I symlinked each home user's public_html directory to a directory
>> readable only by Apache? Would Apache be able to read the destination
>> directory via the symlink, even if it doesn't have permission to access
>> the destination directory?
>>
>
> Why can't you chgroup and setgid the homedirs to www? (Or whatever account
> the web server is running under.) You really have two requirements:
>
> 1) Users can't see other users' files
> 2) The web server can read all users' web files
>
> So you chmod the homedirs to 750/640, and chgroup the dirs and files to www,
> then set the sticky bit for the group, and you're done. Seems to me that's
> the simplest way to go about it. Setting the sticky bit ensures that any
> new files created by a user will have www as the group.
Sticky doesn't... it's sgid you want.
Sticky means that only the creator (owner) can use unlink on the file.
Chris
--
R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. > (sendmail.cf)
More information about the freebsd-questions
mailing list