Restricting users to their own home directories / not letting
users view other users files...?
Chris Rees
utisoft at googlemail.com
Tue Feb 17 02:21:11 PST 2009
2009/2/12 Uwe Laverenz <uwe at laverenz.de>:
> On Thu, Feb 12, 2009 at 09:39:18AM -0500, Keith Palmer wrote:
>
>> Thanks so much, this solution works really well! It doesn't lock users out
>> of the entire system, but it does ensure that users can't view other
>> user's files via SFTP/SSH, which is fantastic.
>
> This solution enforces the switch of all user directories to group "www",
> which also means that any member of the group www gets access to these
> directories. This would be even more dangerous if your webserver runs
> with gid www and contains a php-module or something similar with a long
> tradition of security problems. Sorry, but you really, really should not
> do it this way.
>
> The sticky bit for group www on the public_html directories can be a good
> idea, though.
>
> bye,
> Uwe
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
Do you really mean sticky? Or do you mean sgid? Sgid directories are
unnecessary in BSD systems anyway. In the (one true UNIX) BSD Way, new
files in a directory are always of the group of the directory.
Sticky is something completely different
http://www.gsp.com/cgi-bin/man.cgi?section=8&topic=sticky
--
R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. > (sendmail.cf)
More information about the freebsd-questions
mailing list