Ken Teague wrote: > On Wed, Jan 6, 2010 at 4:29 PM, green <greenfreedo...@gmail.com> wrote: >> Okay, I was assuming recursion because I have a ~/public_html and symlinks >> from >> it to other files scattered in my $HOME and so a "chmod 700 $HOME" would just >> break stuff. Otherwise, just changing $HOME permissions is an excellent >> solution. > > Great point. "chmod 700 $HOME" would make ~/public_html to be not so > public, since, on a Debian box, apache runs under the www-data > account. :) So, if Mr. Cohen has such a configuration, he would need > to relocate his ~/public_html directory (along with all symlinked > scripts or binaries) to a public location that can be accessed by the > www-data account, and modify his apache configuration accordingly. I > have an account on freeshell.net that is configured like this: > > [501]it...@iceland:~$ ls -ld $HOME > drwx------ 16 itsme arpa 1024 Oct 21 18:39 /arpa/nl/i/itsme > [502]it...@iceland:~$ ls -l html > lrwx------ 1 itsme arpa 16 Jan 26 2009 html -> /www/am/i/itsme > [503]it...@iceland:~$ ls -ld /www/am/i/itsme > drwxr-x--x 4 itsme nobody 512 Oct 30 19:37 /www/am/i/itsme > > This, to me, looks like the most elegant approach. >
Actually, this is the sort of situation where a $HOME permission of 711 would be useful. Disallowing wild card based access but if the full name is known, the file can be read (assuming it has the correct permissions, of course). You could even go so far as to set the group ownership of $HOME to the www-data group and set $HOME to be 710. -- Bob McGowan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org