Hi Ognjen, on Monday, 2006-05-01 at 11:22:23, you wrote: > I have spent most of the day getting per user web serving to work > (/home/$user/public_html => http://server/~$user) but was constantly > getting "401 Forbidden" errors with apache2. > > After lots of hunting I found that you have to set the permissions for > the user directories to 755 (a+rx). So now it works, but all the users > can see each others home directories, which is unacceptable for this > server. > > So I am here to ask if anyone cen recommend a more secure way of doing > this. I
My web server is still running an old SuSE system, but this should be
basically the same. There are two ways to solve this. If you use the
public_html subdirectory approach, $HOME only has to be o+x, so others
can *enter* a user's directory but not *view* its contents. That should
be acceptable if people use a safe umask.
The reason we changed it a while ago was that we wanted to allow CGIs,
at least for certain users some of which didn't know that much about
input sanitizing 'n stuff, so a hacker could try to read other people's
files by guessing their names---the web server would need access to the
whole NFS-mounted parent of everybody's home. So now $HOME/public_html
is just a link to /www/home/$USER which lives on the web server and is
exported from there. That way a rogue CGI script could read other
people's web pages which is far less critical. Of course you still have
to check once in a while so you don't expose your passwd file or
something.
cheers!
Matthias
--
I prefer encrypted and signed messages. KeyID: FAC37665
Fingerprint: 8C16 3F0A A6FC DF0D 19B0 8DEF 48D9 1700 FAC3 7665
pgpALPfUNyEug.pgp
Description: PGP signature
