You can do this in one of two ways using SIMPLE unix file access:
One is to do what was listed below: Find the group of the apache process, and permit the public_html directory to be read only by the apache group.
chgrp httpd public_html chmod 760 public_html
(you need to be root {or a member of group public_html) to do the chgrp
call (but not the chmod command).if you want to prevent ONLY the students from accessing the public_html directory, then you can create a group 'students', and add all of the student accounts into the group students. Then change the public_html directory to be group students, and mode 706 (readable by everybody BUT group students).
To initially set the group of all the students, you can go:
for sid in `cat student_uid_list` ; do usermod -G students $sid ; done chgrp students public_html chmod 706 public_html
Your last choice would be to use ACL (access control lists). about the only nice thinga about the acl method is that it doesn't require you to bo root. The nasty thing is that acl's aren't well integrated into the UNIX world, and I personally dislike using them when I don't have to -- but they do work.
HOWEVER: you first have to mount the filesystem with ACL's avalable change the mount options for /home (presuming that it is a separate filesystem) or / to include 'acl'
On a live system, you can remount to include acl capaability:
mount -o remount,acl /home
You can then permit the directory none others, and readonly to group apache:
setfacl -m sother::-,u:apache:r-x /tmp/xxx
the nice things about ACLs is that -- once you mount the filesyatem with ACLs enabled, you don't have to be root to give specific groups and/or users access.. however when you do an 'ls -l' it'll only hint at the existence of ACL's by printing a '+' sfter the permissions section
-rw-r-x---+ 1 samuel samuel 0 Sep 20 06:30 public_html
You need to use getfacl to get the full permissions info.
If students are a member of a group, then you can permit them no access in a similar way with ACLs ..
setfacl group:students:--- public_html
or you can explicitly permit specific students no access:
for name in `cat student_list` ; do setfacl user:$name:- public_html ; done
Ray Olszewski wrote:
At 08:15 AM 9/15/2004 -0400, William Stanard wrote:
I help students manage a school intranet website on a machine running Red Hat 2.4.18-14 and Apache 2.0.40.
How do I keep my student users with accounts on the machine from being
able to access, via Putty, /home/bobo/public_html, the directory in which
I keep all of the content for the site, including tests and quizzes for my
students' online use?
I can password protect, using .htaccess, specific directories from
"unauthorized" access, but I would like to provide similar protection for
the /home/bobo/public_html/Prog/tests directory. If I change permissions
via chmod, however, then Apache will not be able to serve the pages to the
intranet.
This is actually a tricky problem, taking you into one of the blurry areas of Unix/Linux permissions. One way to solve it: first check what userid apache is running under and what groups that userid is part of. Then make the relevant files and directories mode 640 (or 750, depending on the specifics ... possibly even 660 or 770 if you have cgi scripts that need to write to files or create new files), associating them with a group that the apache userid is in but the students are not in. That should do the job for you.
Doing this may require you to change the userid that apache runs under. And I am assuming in this (a) that you are "bobo"; (b) the students do not have root access to the host. If assumption (b) is wrong, then there is no way to accomplish what you want that I know of (since root access is, by definition, never "unauthorized"). If assumption (a) is wrong, the general idea I'm suggesting should still work, but you will have to adjust some details, depending on what the userid "bobo" actually is.
-- Stephen Samuel +1(604)876-0426 [EMAIL PROTECTED] http://www.bcgreen.com/~samuel/ Powerful committed communication. Transformation touching the jewel within each person and bringing it to light.
- To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs
