Ahhh... well, that's a considerably more verbose solution than your first
solution. The groups are not the default FreeBSD groups, as I thought you
were using.

I will definitely check that out, thanks!

I looked into restricted shells and such, but I couldn't find any
documentation or information on that sort of stuff...

 - Keith Palmer

On Thu, February 12, 2009 11:48 am, Uwe Laverenz wrote:
> On Thu, Feb 12, 2009 at 11:04:59AM -0500, Keith Palmer wrote:
>> Your other proposed solution results in the same situation, correct? No
> No, it doesn't. Let's assume shannon is in the login group users, her home
> directory would look like this:
>  drwx-----x   2 shannon  users      512 Feb 12 17:19 shannon
> This ensures that apache can enter /home/shannon which is necessary
> because
> that's where public_html is. It is not possible for apache to read the
> contents
> of /home/shannon because 'r' is missing. This would achieve the goal that
> other
> users including apache can not read the contents of the home dir.
> Ok, now apache needs read only access to public_html, so I would set
> permissions
> this way (2750 shannon:www):
>  drwxr-s---  2 shannon  www    512 Feb 12 17:30 public_html
> All directories under public_html should also have these permissions, all
> files should have 0640 or 0644. This would achieve the goal that apache
> can read everything it needs to but nothing more.
>> matter what, Apache needs read-access to any and all files, so no matter
>> what PHP will have access to read any user's files. There's no way
>> around
>> that for a shared hosting situation that I know of...
> Sure there is: this way apache can not read any other files outside
> public_html.
>> Your solution doesn't work because the user "keith" could still do a "ls
>> /home/shannon/public_html/" and get the directory listing (shannon's
>> public_html directory is 0755, per your suggestion). Unless I'm missing
>> something...?
> You don't have to set it to 0755. If you set it to 2750 keith can no
> longer see the files in shannon/public_html as long as he isn't member
> of group www. And even if their homedirs contain a folder that belongs
> to group www, they don't have to be members of www themselves.
> I don't now your environment, but there other ways of getting things
> more secure, such as the use of jails, restricting shell access or
> forcing the use of a restricted shell and so on.
> bye,
> Uwe

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to