On Wednesday 11 February 2009 07:22:17 Keith Palmer wrote:
> OK, I'm sure this question has been asked a million times, but I havn't
> been able to find a straight answer that actually solves the problem, so
> here goes.
> We have a FreeBSD server with multiple users. I would rather each user
> *not* be able to view other users' files via an SSH or SFTP session. i.e.
> if I'm logged in as "keith" I should *not* get a list of files when I do
> "ls /home/shannon"
> I realize I can fix this by setting the permissions on the "/home/shannon"
> directory to 700. *However* then Apache (running as user "www") won't
> display the documents in "/home/shannon/public_html" from
> "http://ip-address/~shannon/";, instead returning a "403 Forbidden" error.
> Sooo... how can I set this up so that users can't view other user's files,
> but Apache still works?

Your problem might be how they change the files, if via FTP, but...

- Move the public_html dirs
- chgrp www, chmod 640.
- symlink in the home dir


mkdir /var/userweb
for USERDIR in /home/*; do
        if test -d ${USERDIR}/public_html; then
                mkdir ${destdir}
                mv ${USERDIR}/public_html ${destdir}/
                ln -s ${destdir}/public_html ${USERDIR}/public_html
                chgrp -R www ${destdir}/public_html
                chmod -R u+w,g-w,o= ${destdir}/public_html

In httpd.conf:
UserDir /var/userweb/*/public_html

That said, I don't really understand your 'ls' paranoia. If you don't care 
about ls, you can set user's umask to 0027 and rechmod all files to 640. Have 
users in their own group and have */public_html group www. /home/username 
then has to have 755 in order for apache to get to public_html.


Problem with today's modular software: they start with the modules
    and never get to the software part.
freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to