User Directories On FreeBSD 8.0-RELEASE
m.seaman at infracaninophile.co.uk
Fri Feb 19 09:05:54 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
On 18/02/2010 21:26, Programmer In Training wrote:
> On 02/18/10 14:54, Craig Whipp wrote:
>> What are the permissions for your $HOME and $HOME/public_html? The user
>> that apache is running as must be able read from these directories.
>> - Craig
> drwxr-xr-x 49 user1 user1 1536 Feb 18 14:31 user1/
> drwxr-xr-x 18 user1 user1 2560 Feb 14 09:25 public_html/
> Possibly not the most secure permissions but I don't remember the
> default (I think it's 644).
Nope. For directories it's 755. You need the x permission on a
directory to chdir to it.
> Apache runs as user:group deamon:daemon
The default is www:www but I guess you know your own configuration.
> Trying to su in from root as daemon returns the following:
> su - daemon
> This account is currently not available.
Yep. That's because it (correctly) doesn't have a usable login shell. Try:
su -m daemon
> user and group do exist (quadruple verified).
Given that the ~user1/public_html directory has world-read permissions,
apache won't have any trouble reading the files. So long as apache
doesn't have *write* permission on the directory, everything is prety
much hunky-dory security-wise.
If you're getting 403 permission denied errors trying to access
userdirs, then the problem lies within the apache configuration.
What you need to do is configure the permissions based on the home
directory path returned from getpwent() -- by default under FreeBSD
that's /home/user1/ Nevermind that much of the time /home is a symlink
to /usr/home -- it's the path returned from the passwd file that apache
uses for comparison, long before trying to resolve any symlinks and open
anything on the hard-drive.
AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS>
Allow from all
<LimitExcept GET POST OPTIONS>
Deny from all
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the freebsd-questions