Scott wrote on Mon, Sep 23, 2002 at 07:35:12PM -0400 : > > Most of the sites are ones that the user updates themselves. When I > create an account for them I use the web space for their home directory so > when they log in they are right in the directory. My question's are: > 1)Is this cool or something lame I learned the wrong way
Sounds good. > 2)What do you set the web files to in order to protect them from wandering > eyes? Most users just use something like CuteFTP and drop the files, but > if someone wanted to log into the box they could wander and read other web > sites code. Assuming that you use user apache and group apache to run the webserver: chmod -R 750 /usr/www chgrp -R apache /usr/www chmod g+s /usr/www chmod g+s /usr/www/* But you better make damn sure that apache can read those files before you consider yourself done. What this does is make mode 750 for all files and directories under and include /usr/www (750 is rwxr-x---). Then make group apache be the owner of all files and directories. Then (this is the magic), set the sgid bit of the directory /usr/www. Since it's owned by group apache, the sgid bit being set on the directory makes any file that is created be owned by group apache (and of course, the user who created it). Any new subdirectories created by the users will automatically have the sgid bit set. Unfortunately, it's not simple to automatically recurse all the directories and set the sgid bit. But a oneline bash command will do it for you: ls -R | grep ":$" | sed 's#:$##' | awk '{print "\""$0"\""}' | xargs chmod g+s Work through the logic and it will start to make sense. The awk statement is included for the sole purpose of putting quotes around the name incase it contains spaces or funky characters. Blue skies... Todd -- | MandrakeSoft USA | Security is like an onion. It's made | | http://www.mandrakesoft.com | made up of several layers and makes | | http://www.mandrakelinux.com | you cry. --Howard Chu | Cooker Version mandrake-release-9.0-0.3mdk Kernel 2.4.19-12mdk
msg57974/pgp00000.pgp
Description: PGP signature