This approach is pretty much what we did at the ISP I worked at, and it
works fine. Gives the user access to his own files easily while removing
SOME security concerns.
Brad 'GreyBear' Davis
Ronin Coder/Bithead at Large
-----------------------------------------------
'Don't crush that dwarf, hand
me the pliers!'
----- Original Message -----
From: Sam Bayne <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 04, 1999 2:49 PM
Subject: Re: Permissions to allow public_html and nothing else
> > > > I am currently in a similar situation. Apache requires that the
user's
> > > > home directory be world executable and the public_html directory be
> > > > world readable. In my application, however, this is unacceptable,
> > > > since the user may have private files in his public_html directory
> > > > that are protected by a .htaccess file. Its not very useful to
protect
> > > > them with a .htaccess file if any other user on the system can
browse
> > > > through them with a chdir.
>
> By my reading of the UserDir directive documentation at Apache.org, You
> could set the user's web space to a directory that is NOT in their home
directory.
>
> This won't protect files located in the web space, but it allows you to
set
> very restrictive permissions on the user homes, while setting just the web
space
> to world read/execute. You could use links to make it look like the web
space
> is still in ~user/public_html, but that might break some dynamic content.
>
> Something like this:
> User bob has his home dir:
> drwxr-x--- bob bob /home/bob
> and his web space:
> drwxr-xr-x bob bob /web/bob
> and there is a link from /home/bob/public_html to /web/bob.
>
> and the httpd.conf has a line like this:
> UserDir /web/*
>
> Apache gurus should comment, as there may be other issues at stake here.
>
> The user just chooses to store private files in /home/bob, and access
them via
> carefully audited setGID cgi's.
>
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
>
>
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
