On Thursday 27 March 2008, Ashley Snelgrove wrote: > Hi there, > > What is the best way to limit what a user can see in the system? If > there are directories I don't want some users to have access to what > is the best way to restrict that? For example, if a user has a home > directory and is also part of a group administering a web site, all > that is really needed is access to the home directory and the web > folder. But because he needs access to the web folder I can't just > chroot him in his home folder. I thought about making his home folder > the web folder but there may be more web admins later. Is there a way > to be selective, I guess, in what is accessible and what is not? > > Thanks for your help!! > > Ash > _______________________________________________ > Openbsd-newbies mailing list > [email protected] > http://mailman.theapt.org/listinfo/openbsd-newbies
Unices in general does not have very fine grained permission options. First, in Unix everything is considered a file. There are many special types of files like directories, symbolic and hard links. Even a partition is considered a file. As is your video card, and so on. Each one has read, write and execute permissions. They are grouped by owner, group and all others But because of the locations of executables and config files one can lock it down pretty well by having different partitions. For example you can mount a partition with read and execute but not write permissions. This is good for the /usr partition where a user have no business writing anything. Root is the administrator and the owner of most files. So you could have the owner able to read write and execute. In this case you don't want anyone to write anything so they are limited to read and execute. On the other hand the /etc partition does not need to execute anything so you give it read and write permissions. Root can read and write, group could have write permissions, and again others can only read. This way someone who for example gains access via a poorly written web script, or one of the web site people, they will only have the access to make changes to the web site but nothing else. They cannot write a file and then execute the content. I usually create a home for each client under /home where they can read and write to their web site. At the same time they only have read & write permissions there. Apache's executable is under /usr or maybe /opt if your needs varies. If you google for securing unix web server or something similar you will find lots of examples on how to lock it down. Be aware that sandboxes are usually not considered very secure as one tend to be able to break out of them too easily. Not to say don't use them, but it's not a perfect security solution. _______________________________________________ Openbsd-newbies mailing list [email protected] http://mailman.theapt.org/listinfo/openbsd-newbies
