Restricting users to their own home directories / not letting
users view other users files...?
Keith Palmer
keith at academickeys.com
Thu Feb 12 08:05:03 PST 2009
Your other proposed solution results in the same situation, correct? No
matter what, Apache needs read-access to any and all files, so no matter
what PHP will have access to read any user's files. There's no way around
that for a shared hosting situation that I know of...
If you remove the groups write privs, then PHP scripts can't really do any
damage at least.
Your solution doesn't work because the user "keith" could still do a "ls
/home/shannon/public_html/" and get the directory listing (shannon's
public_html directory is 0755, per your suggestion). Unless I'm missing
something...?
--
- Keith Palmer
Keith at AcademicKeys.com
http://www.AcademicKeys.com/
On Thu, February 12, 2009 10:45 am, Uwe Laverenz wrote:
> On Thu, Feb 12, 2009 at 09:39:18AM -0500, Keith Palmer wrote:
>
>> Thanks so much, this solution works really well! It doesn't lock users
>> out
>> of the entire system, but it does ensure that users can't view other
>> user's files via SFTP/SSH, which is fantastic.
>
> This solution enforces the switch of all user directories to group "www",
> which also means that any member of the group www gets access to these
> directories. This would be even more dangerous if your webserver runs
> with gid www and contains a php-module or something similar with a long
> tradition of security problems. Sorry, but you really, really should not
> do it this way.
>
> The sticky bit for group www on the public_html directories can be a good
> idea, though.
>
> bye,
> Uwe
>
More information about the freebsd-questions
mailing list