User Directories On FreeBSD 8.0-RELEASE

Matthew Seaman m.seaman at
Fri Feb 19 09:05:54 UTC 2010

Hash: SHA1

On 18/02/2010 21:26, Programmer In Training wrote:
> On 02/18/10 14:54, Craig Whipp wrote:
> <snip>
>> What are the permissions for your $HOME and $HOME/public_html?  The user
>> that apache is running as must be able read from these directories.
>> - Craig
> drwxr-xr-x  49 user1  user1  1536 Feb 18 14:31 user1/
> drwxr-xr-x  18 user1  user1   2560 Feb 14 09:25 public_html/
> Possibly not the most secure permissions but I don't remember the
> default (I think it's 644).

Nope.  For directories it's 755.  You need the x permission on a
directory to chdir to it.

> Apache runs as user:group deamon:daemon

The default is www:www but I guess you know your own configuration.

> Trying to su in from root as daemon returns the following:
> su - daemon
> This account is currently not available.

Yep.  That's because it (correctly) doesn't have a usable login shell.  Try:

   su -m daemon

> user and group do exist (quadruple verified).

Given that the ~user1/public_html directory has world-read permissions,
apache won't have any trouble reading the files.  So long as apache
doesn't have *write* permission on the directory, everything is prety
much hunky-dory security-wise.

If you're getting 403 permission denied errors trying to access
userdirs, then the problem lies within the apache configuration.
What you need to do is configure the permissions based on the home
directory path returned from getpwent() -- by default under FreeBSD
that's /home/user1/  Nevermind that much of the time /home is a symlink
to /usr/home -- it's the path returned from the passwd file that apache
uses for comparison, long before trying to resolve any symlinks and open
anything on the hard-drive.

Like this:

<Directory "/home/*/public_html">
    AllowOverride FileInfo AuthConfig Limit Indexes
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
        Order allow,deny
        Allow from all
    <LimitExcept GET POST OPTIONS>
        Order deny,allow
        Deny from all



- -- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
                                                  Kent, CT11 9PW
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla -


More information about the freebsd-questions mailing list