But unfortunately does not address our desire to give our users
password-protected web pages that aren't readable by every other user
on the system. Since I personally use this feature (I have password
protected pages that are for me and my friends and aren't the business
of just any other user on the machine), and help admin the box, the
subject has my full attention :)
Probably time we took it up with the Apache guys and see if they're
accept our module. I'm suprised this hasn't been a bigger deal for
more people.
Thank!
Rob
On Thu, Nov 04, 1999 at 03:03:47PM -0700, Brad 'GreyBear' Davis wrote:
> This approach is pretty much what we did at the ISP I worked at, and it
> works fine. Gives the user access to his own files easily while removing
> SOME security concerns.
>
> ----- Original Message -----
> From: Sam Bayne <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, November 04, 1999 2:49 PM
> Subject: Re: Permissions to allow public_html and nothing else
>
>
> > > > > I am currently in a similar situation. Apache requires that the
> user's
> > > > > home directory be world executable and the public_html directory be
> > > > > world readable. In my application, however, this is unacceptable,
> > > > > since the user may have private files in his public_html directory
> > > > > that are protected by a .htaccess file. Its not very useful to
> protect
> > > > > them with a .htaccess file if any other user on the system can
> browse
> > > > > through them with a chdir.
> >
> > By my reading of the UserDir directive documentation at Apache.org, You
> > could set the user's web space to a directory that is NOT in their home
> directory.
> >
> > This won't protect files located in the web space, but it allows you to
> set
> > very restrictive permissions on the user homes, while setting just the web
> space
> > to world read/execute. You could use links to make it look like the web
> space
> > is still in ~user/public_html, but that might break some dynamic content.
> >
> > Something like this:
> > User bob has his home dir:
> > drwxr-x--- bob bob /home/bob
> > and his web space:
> > drwxr-xr-x bob bob /web/bob
> > and there is a link from /home/bob/public_html to /web/bob.
> >
> > and the httpd.conf has a line like this:
> > UserDir /web/*
> >
> > Apache gurus should comment, as there may be other issues at stake here.
> >
> > The user just chooses to store private files in /home/bob, and access
> them via
> > carefully audited setGID cgi's.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
