Paul, Thanks so much, this solution works really well! It doesn't lock users out of the entire system, but it does ensure that users can't view other user's files via SFTP/SSH, which is fantastic.
The actual syntax for setting the setgid bit on directories is: find /path/to/directory -type d -exec chmod g+s '{}' \; Thanks! -- - Keith Palmer ke...@academickeys.com http://www.AcademicKeys.com/ On Wed, February 11, 2009 2:23 pm, Paul Schmehl wrote: > --On Wednesday, February 11, 2009 12:38:33 -0600 Keith Palmer > <ke...@academickeys.com> wrote: > >> >> >> ... really? Write a script to copy the user's files over on a >> schedule...? >> >> I can see where that might be an option for some people, but that's >> entirely not an option in this case. I'd have to schedule it to run >> every >> 5 seconds or something to keep users from getting upset. >> >> >> What if I symlinked each home user's public_html directory to a >> directory >> readable only by Apache? Would Apache be able to read the destination >> directory via the symlink, even if it doesn't have permission to access >> the destination directory? >> > > Why can't you chgroup and setgid the homedirs to www? (Or whatever > account the > web server is running under.) You really have two requirements: > > 1) Users can't see other users' files > 2) The web server can read all users' web files > > So you chmod the homedirs to 750/640, and chgroup the dirs and files to > www, > then set the sticky bit for the group, and you're done. Seems to me > that's the > simplest way to go about it. Setting the sticky bit ensures that any new > files > created by a user will have www as the group. > > So chown -R someuser:www /home/someuser > find /home/someuser -type d exec "chmod 2750 {}" \; > find /home/someuser -type f exec "chomd 2640 {}" \; > > (Might have my syntax on the find command messed up a bit. Make sure to > man > that.) > > If your users have their webfiles in /home/someuser/public_html, then you > only > need to setgid that dir and its subdirs, no the user's homedir. > > -- > Paul Schmehl, Senior Infosec Analyst > As if it wasn't already obvious, my opinions > are my own and not those of my employer. > ******************************************* > Check the headers before clicking on Reply. > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscr...@freebsd.org" > _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"