Paul,
Thanks so much, this solution works really well! It doesn't lock users out
of the entire system, but it does ensure that users can't view other
user's files via SFTP/SSH, which is fantastic.
The actual syntax for setting the setgid bit on directories is:
find /path/to/directory -type d -exec chmod g+s '{}' \;
Thanks!
--
- Keith Palmer
ke...@academickeys.com
http://www.AcademicKeys.com/
On Wed, February 11, 2009 2:23 pm, Paul Schmehl wrote:
> --On Wednesday, February 11, 2009 12:38:33 -0600 Keith Palmer
> <ke...@academickeys.com> wrote:
>
>>
>>
>> ... really? Write a script to copy the user's files over on a
>> schedule...?
>>
>> I can see where that might be an option for some people, but that's
>> entirely not an option in this case. I'd have to schedule it to run
>> every
>> 5 seconds or something to keep users from getting upset.
>>
>>
>> What if I symlinked each home user's public_html directory to a
>> directory
>> readable only by Apache? Would Apache be able to read the destination
>> directory via the symlink, even if it doesn't have permission to access
>> the destination directory?
>>
>
> Why can't you chgroup and setgid the homedirs to www? (Or whatever
> account the
> web server is running under.) You really have two requirements:
>
> 1) Users can't see other users' files
> 2) The web server can read all users' web files
>
> So you chmod the homedirs to 750/640, and chgroup the dirs and files to
> www,
> then set the sticky bit for the group, and you're done. Seems to me
> that's the
> simplest way to go about it. Setting the sticky bit ensures that any new
> files
> created by a user will have www as the group.
>
> So chown -R someuser:www /home/someuser
> find /home/someuser -type d exec "chmod 2750 {}" \;
> find /home/someuser -type f exec "chomd 2640 {}" \;
>
> (Might have my syntax on the find command messed up a bit. Make sure to
> man
> that.)
>
> If your users have their webfiles in /home/someuser/public_html, then you
> only
> need to setgid that dir and its subdirs, no the user's homedir.
>
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> Check the headers before clicking on Reply.
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscr...@freebsd.org"
>
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
