Why can't you chgroup and setgid the homedirs to www? (Or whatever account the web server is running under.) You really have two requirements:1) Users can't see other users' files 2) The web server can read all users' web files So you chmod the homedirs to 750/640, and chgroup the dirs and files to www, then set the sticky bit for the group, and you're done.According to the chgrp manual: The user invoking chgrp must belong to the specified group and be the owner of the file, or be the super-user.
Sorry if I wasn't clear.I wasn't suggesting that the *users* chgrp the files. Keith would do that as root. Then he sets the setgid bit to www (or whatever the web user is), and from that point going forward any files created by the user would be user:www instead of user:user. Set the umask to 027, and world has no readability.
This is exactly how I used to handle some files on a webserver that I maintain that other people needed to be able to edit, add and delete files from. Once the sgid bit is set, the group membership of the files remains www no matter what user creates/touches a file.
Note that the first bit isn't usually referred to when discussing chmod. So most people will say, for example, chmod directories 755. And if you type '% chmod 755 dir', that's what you'll get. To set the sgid bit, you need to type '% chmod 2755 dir'. See the man 1 chmod for details.
My apologies for calling the sgid bit the "sticky" bit, since that's not technically correct. I should have said "setgid" bit rather than "sticky group bit".
-- Paul Schmehl (pa...@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
pgpBdnxxw9yNp.pgp
Description: PGP signature
