On Thu, Feb 17, 2011 at 01:44:26PM +0000, Ian Jackson wrote: > Perhaps it might be reasonable to try to find a way for accounts like > msql and www-data not to be able to access home directories (add > "daemon" to their supplementary group list and set the permissions of > /home 0705 to root.daemon, perhaps), but is this really worthwhile ? > If it is, the right thing to do is to go away and think about exactly > how to do it, not to file a bug asking for the default home directory > permissions to be changed.
This is easily accomplished using ACLs. Example to only allow apache access to public_html, and nothing else: % setfacl -m g:www-data:x ~ % setfacl -m g:www-data:rx ~/public_html % getfacl ~ ~/public_html getfacl: Removing leading '/' from absolute path names # file: home/rleigh # owner: rleigh # group: rleigh user::rwx group::r-x group:www-data:--x mask::r-x other::r-x # file: home/rleigh/public_html # owner: rleigh # group: rleigh user::rwx group::r-x group:www-data:r-x mask::r-x other::r-x Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
signature.asc
Description: Digital signature