On Thu, Feb 12, 2009 at 11:04:59AM -0500, Keith Palmer wrote:

> Your other proposed solution results in the same situation, correct? No

No, it doesn't. Let's assume shannon is in the login group users, her home
directory would look like this:

 drwx-----x   2 shannon  users      512 Feb 12 17:19 shannon

This ensures that apache can enter /home/shannon which is necessary because
that's where public_html is. It is not possible for apache to read the contents
of /home/shannon because 'r' is missing. This would achieve the goal that other
users including apache can not read the contents of the home dir.

Ok, now apache needs read only access to public_html, so I would set permissions
this way (2750 shannon:www):

 drwxr-s---  2 shannon  www    512 Feb 12 17:30 public_html

All directories under public_html should also have these permissions, all
files should have 0640 or 0644. This would achieve the goal that apache
can read everything it needs to but nothing more. 

> matter what, Apache needs read-access to any and all files, so no matter
> what PHP will have access to read any user's files. There's no way around
> that for a shared hosting situation that I know of...

Sure there is: this way apache can not read any other files outside

> Your solution doesn't work because the user "keith" could still do a "ls
> /home/shannon/public_html/" and get the directory listing (shannon's
> public_html directory is 0755, per your suggestion). Unless I'm missing
> something...?

You don't have to set it to 0755. If you set it to 2750 keith can no
longer see the files in shannon/public_html as long as he isn't member
of group www. And even if their homedirs contain a folder that belongs
to group www, they don't have to be members of www themselves.

I don't now your environment, but there other ways of getting things
more secure, such as the use of jails, restricting shell access or
forcing the use of a restricted shell and so on.


freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to