On Thu, Feb 12, 2009 at 11:04:59AM -0500, Keith Palmer wrote: > Your other proposed solution results in the same situation, correct? No
No, it doesn't. Let's assume shannon is in the login group users, her home directory would look like this: drwx-----x 2 shannon users 512 Feb 12 17:19 shannon This ensures that apache can enter /home/shannon which is necessary because that's where public_html is. It is not possible for apache to read the contents of /home/shannon because 'r' is missing. This would achieve the goal that other users including apache can not read the contents of the home dir. Ok, now apache needs read only access to public_html, so I would set permissions this way (2750 shannon:www): drwxr-s--- 2 shannon www 512 Feb 12 17:30 public_html All directories under public_html should also have these permissions, all files should have 0640 or 0644. This would achieve the goal that apache can read everything it needs to but nothing more. > matter what, Apache needs read-access to any and all files, so no matter > what PHP will have access to read any user's files. There's no way around > that for a shared hosting situation that I know of... Sure there is: this way apache can not read any other files outside public_html. > Your solution doesn't work because the user "keith" could still do a "ls > /home/shannon/public_html/" and get the directory listing (shannon's > public_html directory is 0755, per your suggestion). Unless I'm missing > something...? You don't have to set it to 0755. If you set it to 2750 keith can no longer see the files in shannon/public_html as long as he isn't member of group www. And even if their homedirs contain a folder that belongs to group www, they don't have to be members of www themselves. I don't now your environment, but there other ways of getting things more secure, such as the use of jails, restricting shell access or forcing the use of a restricted shell and so on. bye, Uwe _______________________________________________ firstname.lastname@example.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"