Restricting users to their own home directories / not letting users view other users files...?

Keith Palmer keith at academickeys.com
Thu Feb 12 06:39:21 PST 2009 

Paul,

Thanks so much, this solution works really well! It doesn't lock users out
of the entire system, but it does ensure that users can't view other
user's files via SFTP/SSH, which is fantastic.

The actual syntax for setting the setgid bit on directories is:
find /path/to/directory -type d -exec chmod g+s '{}' \;


Thanks!

-- 
 - Keith Palmer
   Keith at AcademicKeys.com
   http://www.AcademicKeys.com/

On Wed, February 11, 2009 2:23 pm, Paul Schmehl wrote:
> --On Wednesday, February 11, 2009 12:38:33 -0600 Keith Palmer
> <keith at academickeys.com> wrote:
>
>>
>>
>> ... really? Write a script to copy the user's files over on a
>> schedule...?
>>
>> I can see where that might be an option for some people, but that's
>> entirely not an option in this case. I'd have to schedule it to run
>> every
>> 5 seconds or something to keep users from getting upset.
>>
>>
>> What if I symlinked each home user's public_html directory to a
>> directory
>> readable only by Apache? Would Apache be able to read the destination
>> directory via the symlink, even if it doesn't have permission to access
>> the destination directory?
>>
>
> Why can't you chgroup and setgid the homedirs to www?  (Or whatever
> account the
> web server is running under.)  You really have two requirements:
>
> 1) Users can't see other users' files
> 2) The web server can read all users' web files
>
> So you chmod the homedirs to 750/640, and chgroup the dirs and files to
> www,
> then set the sticky bit for the group, and you're done.  Seems to me
> that's the
> simplest way to go about it.  Setting the sticky bit ensures that any new
> files
> created by a user will have www as the group.
>
> So chown -R someuser:www /home/someuser
> find /home/someuser -type d exec "chmod 2750 {}" \;
> find /home/someuser -type f exec "chomd 2640 {}" \;
>
> (Might have my syntax on the find command messed up a bit.  Make sure to
> man
> that.)
>
> If your users have their webfiles in /home/someuser/public_html, then you
> only
> need to setgid that dir and its subdirs, no the user's homedir.
>
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> Check the headers before clicking on Reply.
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list