... really? Write a script to copy the user's files over on a schedule...?

I can see where that might be an option for some people, but that's
entirely not an option in this case. I'd have to schedule it to run every
5 seconds or something to keep users from getting upset.


What if I symlinked each home user's public_html directory to a directory
readable only by Apache? Would Apache be able to read the destination
directory via the symlink, even if it doesn't have permission to access
the destination directory?


Is there really no better way to do this...?!?

-- 
 - Keith Palmer
   ke...@academickeys.com
   http://www.AcademicKeys.com/

On Wed, February 11, 2009 1:18 pm, Roland Smith wrote:
> On Wed, Feb 11, 2009 at 11:22:17AM -0500, Keith Palmer wrote:
>>
>> OK, I'm sure this question has been asked a million times, but I havn't
>> been able to find a straight answer that actually solves the problem, so
>> here goes.
>>
>> We have a FreeBSD server with multiple users. I would rather each user
>> *not* be able to view other users' files via an SSH or SFTP session.
>> i.e.
>> if I'm logged in as "keith" I should *not* get a list of files when I do
>> "ls /home/shannon"
>>
>> I realize I can fix this by setting the permissions on the
>> "/home/shannon"
>> directory to 700. *However* then Apache (running as user "www") won't
>> display the documents in "/home/shannon/public_html" from
>> "http://ip-address/~shannon/";, instead returning a "403 Forbidden"
>> error.
>>
>> Sooo... how can I set this up so that users can't view other user's
>> files,
>> but Apache still works?
>
> Chmod the homedirs to 700. And write a script that copies the user's
> html files/directories (if they have changed) to a location where apache
> can access them. Run this script as a cronjob for root.
>
> Alternatively, maybe you could use ACLs to grant group www access of the
> home directories. See setfacl(1). [I've never had the need to try this,
> so I'm not sure].
>
> Roland
> --
> R.F.Smith                                   http://www.xs4all.nl/~rsmith/
> [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
> pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
>

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to