Ahhh... well, that's a considerably more verbose solution than your first solution. The groups are not the default FreeBSD groups, as I thought you were using.
I will definitely check that out, thanks! I looked into restricted shells and such, but I couldn't find any documentation or information on that sort of stuff... -- - Keith Palmer ke...@academickeys.com http://www.AcademicKeys.com/ On Thu, February 12, 2009 11:48 am, Uwe Laverenz wrote: > On Thu, Feb 12, 2009 at 11:04:59AM -0500, Keith Palmer wrote: > >> Your other proposed solution results in the same situation, correct? No > > No, it doesn't. Let's assume shannon is in the login group users, her home > directory would look like this: > > drwx-----x 2 shannon users 512 Feb 12 17:19 shannon > > This ensures that apache can enter /home/shannon which is necessary > because > that's where public_html is. It is not possible for apache to read the > contents > of /home/shannon because 'r' is missing. This would achieve the goal that > other > users including apache can not read the contents of the home dir. > > Ok, now apache needs read only access to public_html, so I would set > permissions > this way (2750 shannon:www): > > drwxr-s--- 2 shannon www 512 Feb 12 17:30 public_html > > All directories under public_html should also have these permissions, all > files should have 0640 or 0644. This would achieve the goal that apache > can read everything it needs to but nothing more. > >> matter what, Apache needs read-access to any and all files, so no matter >> what PHP will have access to read any user's files. There's no way >> around >> that for a shared hosting situation that I know of... > > Sure there is: this way apache can not read any other files outside > public_html. > >> Your solution doesn't work because the user "keith" could still do a "ls >> /home/shannon/public_html/" and get the directory listing (shannon's >> public_html directory is 0755, per your suggestion). Unless I'm missing >> something...? > > You don't have to set it to 0755. If you set it to 2750 keith can no > longer see the files in shannon/public_html as long as he isn't member > of group www. And even if their homedirs contain a folder that belongs > to group www, they don't have to be members of www themselves. > > I don't now your environment, but there other ways of getting things > more secure, such as the use of jails, restricting shell access or > forcing the use of a restricted shell and so on. > > bye, > Uwe > _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
