--On Wednesday, February 11, 2009 12:38:33 -0600 Keith Palmer <ke...@academickeys.com> wrote:




... really? Write a script to copy the user's files over on a schedule...?

I can see where that might be an option for some people, but that's
entirely not an option in this case. I'd have to schedule it to run every
5 seconds or something to keep users from getting upset.


What if I symlinked each home user's public_html directory to a directory
readable only by Apache? Would Apache be able to read the destination
directory via the symlink, even if it doesn't have permission to access
the destination directory?


Why can't you chgroup and setgid the homedirs to www? (Or whatever account the web server is running under.) You really have two requirements:

1) Users can't see other users' files
2) The web server can read all users' web files

So you chmod the homedirs to 750/640, and chgroup the dirs and files to www, then set the sticky bit for the group, and you're done. Seems to me that's the simplest way to go about it. Setting the sticky bit ensures that any new files created by a user will have www as the group.

So chown -R someuser:www /home/someuser
find /home/someuser -type d exec "chmod 2750 {}" \;
find /home/someuser -type f exec "chomd 2640 {}" \;

(Might have my syntax on the find command messed up a bit. Make sure to man that.)

If your users have their webfiles in /home/someuser/public_html, then you only need to setgid that dir and its subdirs, no the user's homedir.

--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
Check the headers before clicking on Reply.

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to