Re: Restricting users to their own home directories / not letting users view other users files...?
Chris Rees schrieb: Do you really mean sticky? Or do you mean sgid? Sgid directories are I mean the setgid bit (octal 2000). You are right, "sticky" is something different. :) For some reason I don't remember anymore I got used to using the term "sticky" for this. mea culpa! Uwe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Restricting users to their own home directories / not letting users view other users files...?
2009/2/17 Chris Rees : > 2009/2/12 Uwe Laverenz : >> On Thu, Feb 12, 2009 at 09:39:18AM -0500, Keith Palmer wrote: >> >>> Thanks so much, this solution works really well! It doesn't lock users out >>> of the entire system, but it does ensure that users can't view other >>> user's files via SFTP/SSH, which is fantastic. >> >> This solution enforces the switch of all user directories to group "www", >> which also means that any member of the group www gets access to these >> directories. This would be even more dangerous if your webserver runs >> with gid www and contains a php-module or something similar with a long >> tradition of security problems. Sorry, but you really, really should not >> do it this way. >> >> The sticky bit for group www on the public_html directories can be a good >> idea, though. >> >> bye, >> Uwe >> >> ___ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" >> > > Do you really mean sticky? Or do you mean sgid? Sgid directories are > unnecessary in BSD systems anyway. In the (one true UNIX) BSD Way, new > files in a directory are always of the group of the directory. > > Sticky is something completely different > http://www.gsp.com/cgi-bin/man.cgi?section=8&topic=sticky > > -- > R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. > (sendmail.cf) > Alright, let's go into a culture shock mode, and suggest a change in layout. [ch...@amnesiac]~% ls -l /home/chris total 1712 drwx- 6 chris chris 512 Dec 8 15:40 home/ drwxr-xr-x- 1 chris chris1743 Nov 22 14:35 public_html/ And stick the contents of the home directory in home/ Only trouble is if you don't want dotfiles (.cshrc etc) visible, but you'll have to live with that. Or set the permissions 700. Be careful with dotfiles, don't forget .* matches .. too :( Chris -- R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. > (sendmail.cf) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Restricting users to their own home directories / not letting users view other users files...?
2009/2/12 Uwe Laverenz : > On Thu, Feb 12, 2009 at 09:39:18AM -0500, Keith Palmer wrote: > >> Thanks so much, this solution works really well! It doesn't lock users out >> of the entire system, but it does ensure that users can't view other >> user's files via SFTP/SSH, which is fantastic. > > This solution enforces the switch of all user directories to group "www", > which also means that any member of the group www gets access to these > directories. This would be even more dangerous if your webserver runs > with gid www and contains a php-module or something similar with a long > tradition of security problems. Sorry, but you really, really should not > do it this way. > > The sticky bit for group www on the public_html directories can be a good > idea, though. > > bye, > Uwe > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > Do you really mean sticky? Or do you mean sgid? Sgid directories are unnecessary in BSD systems anyway. In the (one true UNIX) BSD Way, new files in a directory are always of the group of the directory. Sticky is something completely different http://www.gsp.com/cgi-bin/man.cgi?section=8&topic=sticky -- R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. > (sendmail.cf) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Restricting users to their own home directories / not letting users view other users files...?
On Thursday 12 February 2009 19:15:21 Paul Schmehl wrote: > If you set the world readable bit, you break the entire schema. To make it > work, world must have no access - not even directory search access. So you > set u=rwx,g=srx,o-rwx (or 2750), for homedirs and u=rw,g=sr,o-rwx (or 2640) > for files. To maintain the schema you would also need to change the users' > umask to 027 or (script a perm change periodically to remove the world bits > from new files.) > > If you want to get more granular, you can set the homedirs and all subdirs > to owner:owner and only set the public_html dir and its subdirs to > owner:www. The key is to remove the world access from the homedirs and > everything under them, set the group to www, setgid and change the umask. setgid on the directory is a SysV-ism to switch on BSD behaviour. FreeBSD always sets group ownership of files to the group of the directory they're created in, so all you need to do is change the ownership of the directory and the umask. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Restricting users to their own home directories / not letting users view other users files...?
--On Thursday, February 12, 2009 10:04:59 -0600 Keith Palmer wrote: Your other proposed solution results in the same situation, correct? No matter what, Apache needs read-access to any and all files, so no matter what PHP will have access to read any user's files. There's no way around that for a shared hosting situation that I know of... If you remove the groups write privs, then PHP scripts can't really do any damage at least. Your solution doesn't work because the user "keith" could still do a "ls /home/shannon/public_html/" and get the directory listing (shannon's public_html directory is 0755, per your suggestion). Unless I'm missing something...? If you set the world readable bit, you break the entire schema. To make it work, world must have no access - not even directory search access. So you set u=rwx,g=srx,o-rwx (or 2750), for homedirs and u=rw,g=sr,o-rwx (or 2640) for files. To maintain the schema you would also need to change the users' umask to 027 or (script a perm change periodically to remove the world bits from new files.) If you want to get more granular, you can set the homedirs and all subdirs to owner:owner and only set the public_html dir and its subdirs to owner:www. The key is to remove the world access from the homedirs and everything under them, set the group to www, setgid and change the umask. Once you've done that, it's pretty much maintenance free. It wouldn't hurt to script something that crawls the homedirs periodically looking for perm problems, just in case something crops up. The webserver only needs read access to files (unless the application you're running has some special requirements.) You can make a perl script (or php files, python, tcl, you name it) read only and then configure Apache so it's executable from within Apache but not directly from the hard drive. Most application vendors tend to "err" on the side of too-loose perms, demanding rwx for everything when that's really not needed. You can play around with the perms and see what breaks, then roll the new set out once you've figured out what's needed. But, if you do it right, world doesn't need any access at all, and that's going to be a requirement going forward to keep others from seeing the files. If world has access, anyone on the server has access. The webserver I maintain has no access at all for world. Individual dirs may have differing access rights depending upon who needs to get into them, but world is excluded. This means an attacker has to become root or the webserver user before he can even see the web stuff, and only root would have more than read access. If the web server has read only access to the files, then an attacker is limited to exploiting vulnerabilities in the webserver or the applications running on it. I strongly suggest you install and use mod_security (if you're not already) to protect against that. It's very lightweight and works quite well. There's an active user community, and you can protect against existing vulnerabilities with the right filters in place. -- Paul Schmehl (pa...@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Re: Restricting users to their own home directories / not letting users view other users files...?
Ahhh... well, that's a considerably more verbose solution than your first solution. The groups are not the default FreeBSD groups, as I thought you were using. I will definitely check that out, thanks! I looked into restricted shells and such, but I couldn't find any documentation or information on that sort of stuff... -- - Keith Palmer ke...@academickeys.com http://www.AcademicKeys.com/ On Thu, February 12, 2009 11:48 am, Uwe Laverenz wrote: > On Thu, Feb 12, 2009 at 11:04:59AM -0500, Keith Palmer wrote: > >> Your other proposed solution results in the same situation, correct? No > > No, it doesn't. Let's assume shannon is in the login group users, her home > directory would look like this: > > drwx-x 2 shannon users 512 Feb 12 17:19 shannon > > This ensures that apache can enter /home/shannon which is necessary > because > that's where public_html is. It is not possible for apache to read the > contents > of /home/shannon because 'r' is missing. This would achieve the goal that > other > users including apache can not read the contents of the home dir. > > Ok, now apache needs read only access to public_html, so I would set > permissions > this way (2750 shannon:www): > > drwxr-s--- 2 shannon www512 Feb 12 17:30 public_html > > All directories under public_html should also have these permissions, all > files should have 0640 or 0644. This would achieve the goal that apache > can read everything it needs to but nothing more. > >> matter what, Apache needs read-access to any and all files, so no matter >> what PHP will have access to read any user's files. There's no way >> around >> that for a shared hosting situation that I know of... > > Sure there is: this way apache can not read any other files outside > public_html. > >> Your solution doesn't work because the user "keith" could still do a "ls >> /home/shannon/public_html/" and get the directory listing (shannon's >> public_html directory is 0755, per your suggestion). Unless I'm missing >> something...? > > You don't have to set it to 0755. If you set it to 2750 keith can no > longer see the files in shannon/public_html as long as he isn't member > of group www. And even if their homedirs contain a folder that belongs > to group www, they don't have to be members of www themselves. > > I don't now your environment, but there other ways of getting things > more secure, such as the use of jails, restricting shell access or > forcing the use of a restricted shell and so on. > > bye, > Uwe > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Restricting users to their own home directories / not letting users view other users files...?
On Thu, Feb 12, 2009 at 11:04:59AM -0500, Keith Palmer wrote: > Your other proposed solution results in the same situation, correct? No No, it doesn't. Let's assume shannon is in the login group users, her home directory would look like this: drwx-x 2 shannon users 512 Feb 12 17:19 shannon This ensures that apache can enter /home/shannon which is necessary because that's where public_html is. It is not possible for apache to read the contents of /home/shannon because 'r' is missing. This would achieve the goal that other users including apache can not read the contents of the home dir. Ok, now apache needs read only access to public_html, so I would set permissions this way (2750 shannon:www): drwxr-s--- 2 shannon www512 Feb 12 17:30 public_html All directories under public_html should also have these permissions, all files should have 0640 or 0644. This would achieve the goal that apache can read everything it needs to but nothing more. > matter what, Apache needs read-access to any and all files, so no matter > what PHP will have access to read any user's files. There's no way around > that for a shared hosting situation that I know of... Sure there is: this way apache can not read any other files outside public_html. > Your solution doesn't work because the user "keith" could still do a "ls > /home/shannon/public_html/" and get the directory listing (shannon's > public_html directory is 0755, per your suggestion). Unless I'm missing > something...? You don't have to set it to 0755. If you set it to 2750 keith can no longer see the files in shannon/public_html as long as he isn't member of group www. And even if their homedirs contain a folder that belongs to group www, they don't have to be members of www themselves. I don't now your environment, but there other ways of getting things more secure, such as the use of jails, restricting shell access or forcing the use of a restricted shell and so on. bye, Uwe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Restricting users to their own home directories / not letting users view other users files...?
Your other proposed solution results in the same situation, correct? No matter what, Apache needs read-access to any and all files, so no matter what PHP will have access to read any user's files. There's no way around that for a shared hosting situation that I know of... If you remove the groups write privs, then PHP scripts can't really do any damage at least. Your solution doesn't work because the user "keith" could still do a "ls /home/shannon/public_html/" and get the directory listing (shannon's public_html directory is 0755, per your suggestion). Unless I'm missing something...? -- - Keith Palmer ke...@academickeys.com http://www.AcademicKeys.com/ On Thu, February 12, 2009 10:45 am, Uwe Laverenz wrote: > On Thu, Feb 12, 2009 at 09:39:18AM -0500, Keith Palmer wrote: > >> Thanks so much, this solution works really well! It doesn't lock users >> out >> of the entire system, but it does ensure that users can't view other >> user's files via SFTP/SSH, which is fantastic. > > This solution enforces the switch of all user directories to group "www", > which also means that any member of the group www gets access to these > directories. This would be even more dangerous if your webserver runs > with gid www and contains a php-module or something similar with a long > tradition of security problems. Sorry, but you really, really should not > do it this way. > > The sticky bit for group www on the public_html directories can be a good > idea, though. > > bye, > Uwe > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Restricting users to their own home directories / not letting users view other users files...?
On Thu, Feb 12, 2009 at 09:39:18AM -0500, Keith Palmer wrote: > Thanks so much, this solution works really well! It doesn't lock users out > of the entire system, but it does ensure that users can't view other > user's files via SFTP/SSH, which is fantastic. This solution enforces the switch of all user directories to group "www", which also means that any member of the group www gets access to these directories. This would be even more dangerous if your webserver runs with gid www and contains a php-module or something similar with a long tradition of security problems. Sorry, but you really, really should not do it this way. The sticky bit for group www on the public_html directories can be a good idea, though. bye, Uwe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Restricting users to their own home directories / not letting users view other users files...?
Paul, Thanks so much, this solution works really well! It doesn't lock users out of the entire system, but it does ensure that users can't view other user's files via SFTP/SSH, which is fantastic. The actual syntax for setting the setgid bit on directories is: find /path/to/directory -type d -exec chmod g+s '{}' \; Thanks! -- - Keith Palmer ke...@academickeys.com http://www.AcademicKeys.com/ On Wed, February 11, 2009 2:23 pm, Paul Schmehl wrote: > --On Wednesday, February 11, 2009 12:38:33 -0600 Keith Palmer > wrote: > >> >> >> ... really? Write a script to copy the user's files over on a >> schedule...? >> >> I can see where that might be an option for some people, but that's >> entirely not an option in this case. I'd have to schedule it to run >> every >> 5 seconds or something to keep users from getting upset. >> >> >> What if I symlinked each home user's public_html directory to a >> directory >> readable only by Apache? Would Apache be able to read the destination >> directory via the symlink, even if it doesn't have permission to access >> the destination directory? >> > > Why can't you chgroup and setgid the homedirs to www? (Or whatever > account the > web server is running under.) You really have two requirements: > > 1) Users can't see other users' files > 2) The web server can read all users' web files > > So you chmod the homedirs to 750/640, and chgroup the dirs and files to > www, > then set the sticky bit for the group, and you're done. Seems to me > that's the > simplest way to go about it. Setting the sticky bit ensures that any new > files > created by a user will have www as the group. > > So chown -R someuser:www /home/someuser > find /home/someuser -type d exec "chmod 2750 {}" \; > find /home/someuser -type f exec "chomd 2640 {}" \; > > (Might have my syntax on the find command messed up a bit. Make sure to > man > that.) > > If your users have their webfiles in /home/someuser/public_html, then you > only > need to setgid that dir and its subdirs, no the user's homedir. > > -- > Paul Schmehl, Senior Infosec Analyst > As if it wasn't already obvious, my opinions > are my own and not those of my employer. > *** > Check the headers before clicking on Reply. > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscr...@freebsd.org" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Restricting users to their own home directories / not letting users view other users files...?
On Wed, Feb 11, 2009 at 11:22:17AM -0500, Keith Palmer wrote: > I realize I can fix this by setting the permissions on the "/home/shannon" > directory to 700. *However* then Apache (running as user "www") won't > display the documents in "/home/shannon/public_html" from > "http://ip-address/~shannon/";, instead returning a "403 Forbidden" error. I did not see a correct answer to your question so far, so here you are: - set the permissions to the users homedir to 0700 - run "chmod o+x" on the homedir this sets the permissions to "drwx-x" which is exactly what you want: others can switch to this directory but _not_ read its contents - change the permissions to "public_html" to whatever you need for apache (0755 probably) done. cu, Uwe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Restricting users to their own home directories / not letting users view other users files...?
On Thursday 12 February 2009 03:07:42 Paul Schmehl wrote: > > Sorry if I wasn't clear. > > I wasn't suggesting that the *users* chgrp the files. Keith would do that > as root. Then he sets the setgid bit to www (or whatever the web user is), > and from that point going forward any files created by the user would be > user:www instead of user:user. Set the umask to 027, and world has no > readability. > > This is exactly how I used to handle some files on a webserver that I > maintain that other people needed to be able to edit, add and delete files > from. Once the sgid bit is set, the group membership of the files remains > www no matter what user creates/touches a file. Erm, isn't this only true for Linux and other SysV-type systems? Unless I'm remembering wrong, in FreeBSD files are always created with group ownership the same as the directory they're created in - so all you need to do is change the group ownership of the directory (which has to be done by root). Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Restricting users to their own home directories / not letting users view other users files...?
--On Wednesday, February 11, 2009 14:24:13 -0600 Roland Smith wrote: Why can't you chgroup and setgid the homedirs to www? (Or whatever account the web server is running under.) You really have two requirements: 1) Users can't see other users' files 2) The web server can read all users' web files So you chmod the homedirs to 750/640, and chgroup the dirs and files to www, then set the sticky bit for the group, and you're done. According to the chgrp manual: The user invoking chgrp must belong to the specified group and be the owner of the file, or be the super-user. Sorry if I wasn't clear. I wasn't suggesting that the *users* chgrp the files. Keith would do that as root. Then he sets the setgid bit to www (or whatever the web user is), and from that point going forward any files created by the user would be user:www instead of user:user. Set the umask to 027, and world has no readability. This is exactly how I used to handle some files on a webserver that I maintain that other people needed to be able to edit, add and delete files from. Once the sgid bit is set, the group membership of the files remains www no matter what user creates/touches a file. Note that the first bit isn't usually referred to when discussing chmod. So most people will say, for example, chmod directories 755. And if you type '% chmod 755 dir', that's what you'll get. To set the sgid bit, you need to type '% chmod 2755 dir'. See the man 1 chmod for details. My apologies for calling the sgid bit the "sticky" bit, since that's not technically correct. I should have said "setgid" bit rather than "sticky group bit". -- Paul Schmehl (pa...@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ pgpBdnxxw9yNp.pgp Description: PGP signature
Re: Restricting users to their own home directories / not letting users view other users files...?
--On Wednesday, February 11, 2009 14:24:13 -0600 Roland Smith wrote: Why can't you chgroup and setgid the homedirs to www? (Or whatever account the web server is running under.) You really have two requirements: 1) Users can't see other users' files 2) The web server can read all users' web files So you chmod the homedirs to 750/640, and chgroup the dirs and files to www, then set the sticky bit for the group, and you're done. According to the chgrp manual: The user invoking chgrp must belong to the specified group and be the owner of the file, or be the super-user. Sorry if I wasn't clear. I wasn't suggesting that the *users* chgrp the files. Keith would do that as root. Then he sets the setgid bit to www (or whatever the web user is), and from that point going forward any files created by the user would be user:www instead of user:user. Set the umask to 027, and world has no readability. This is exactly how I used to handle some files on a webserver that I maintain that other people needed to be able to edit, add and delete files from. Once the sgid bit is set, the group membership of the files remains www no matter what user creates/touches a file. Note that the first bit isn't usually referred to when discussing chmod. So most people will say, for example, chmod directories 755. And if you type '% chmod 755 dir', that's what you'll get. To set the sgid bit, you need to type '% chmod 2755 dir'. See the man 1 chmod for details. My apologies for calling the sgid bit the "sticky" bit, since that's not technically correct. I should have said "setgid" bit rather than "sticky group bit". -- Paul Schmehl (pa...@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Re: Restricting users to their own home directories / not letting users view other users files...?
On Wed, 2009-02-11 at 11:22 -0500, Keith Palmer wrote: > OK, I'm sure this question has been asked a million times, but I havn't > been able to find a straight answer that actually solves the problem, so > here goes. > > We have a FreeBSD server with multiple users. I would rather each user > *not* be able to view other users' files via an SSH or SFTP session. i.e. > if I'm logged in as "keith" I should *not* get a list of files when I do > "ls /home/shannon" > > I realize I can fix this by setting the permissions on the "/home/shannon" > directory to 700. *However* then Apache (running as user "www") won't > display the documents in "/home/shannon/public_html" from > "http://ip-address/~shannon/";, instead returning a "403 Forbidden" error. > > > Sooo... how can I set this up so that users can't view other user's files, > but Apache still works? > > I would prefer *not* to use jails, as it sounds like a lot of overhead and > complicated to set up... is there another way? > > I've looked at rbash, but it looks like it disables a whole bunch of other > stuff. My users still need a usable SSH shell. I've looked at rssh and > scponly, but they seem to disallow SSH shell access completely. Wouldn't you use permissions where you have the user as owner and the apache group as group? Something like 750 :www ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Restricting users to their own home directories / not letting users view other users files...?
On Wed, Feb 11, 2009 at 01:23:23PM -0600, Paul Schmehl wrote: > --On Wednesday, February 11, 2009 12:38:33 -0600 Keith Palmer > wrote: > > > ... really? Write a script to copy the user's files over on a schedule...? > > > > I can see where that might be an option for some people, but that's > > entirely not an option in this case. I'd have to schedule it to run every > > 5 seconds or something to keep users from getting upset. > > > > > > What if I symlinked each home user's public_html directory to a directory > > readable only by Apache? Would Apache be able to read the destination > > directory via the symlink, even if it doesn't have permission to access > > the destination directory? > > > > Why can't you chgroup and setgid the homedirs to www? (Or whatever > account the web server is running under.) You really have two > requirements: > > 1) Users can't see other users' files > 2) The web server can read all users' web files > > So you chmod the homedirs to 750/640, and chgroup the dirs and files > to www, then set the sticky bit for the group, and you're done. According to the chgrp manual: The user invoking chgrp must belong to the specified group and be the owner of the file, or be the super-user. So if a non-root user wanted to add a new file, he'd have to be in the www group to chgrp! Which would give other users (who'd also have to be in the www group) at least read access to these files. And possilby to other files used by apache as well. Now for these webpages giving other reads access shouldn't be that much of a problem. Since these are webpages they are presumably _meant_ to be read by others. But giving all the users access to files belonging to apache, that might not be desirable? The thing is that the user would need to know that they have to chown and chmod any new file/dir they create in public_html. For the average windows user that would probably be too much to ask for. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpgFRJ2Gw4Ah.pgp Description: PGP signature
Re: Restricting users to their own home directories / not letting users view other users files...?
Keith Palmer wrote: OK, I'm sure this question has been asked a million times, but I havn't been able to find a straight answer that actually solves the problem, so here goes. We have a FreeBSD server with multiple users. I would rather each user *not* be able to view other users' files via an SSH or SFTP session. i.e. if I'm logged in as "keith" I should *not* get a list of files when I do "ls /home/shannon" I realize I can fix this by setting the permissions on the "/home/shannon" directory to 700. *However* then Apache (running as user "www") won't display the documents in "/home/shannon/public_html" from "http://ip-address/~shannon/";, instead returning a "403 Forbidden" error. Sooo... how can I set this up so that users can't view other user's files, but Apache still works? I would prefer *not* to use jails, as it sounds like a lot of overhead and complicated to set up... is there another way? I've looked at rbash, but it looks like it disables a whole bunch of other stuff. My users still need a usable SSH shell. I've looked at rssh and scponly, but they seem to disallow SSH shell access completely. Thanks in advance! Try /usr/ports/security/openssh You can chroot the user into their own home dir. Check out the ChrootDirectory sshd_config option. http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5 DAve -- The whole internet thing is sucking the life out of me, there ain't no pony in there. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Restricting users to their own home directories / not letting users view other users files...?
On Wed, 11 Feb 2009, Keith Palmer wrote: What if I symlinked each home user's public_html directory to a directory readable only by Apache? Would Apache be able to read the destination directory via the symlink, even if it doesn't have permission to access the destination directory? You can do something like this easily. Assuming you have access to the Apache config, you can setup Apache to look in a location other than /home/${USER} for the public_html directories. Let us call this /web/${USER}. If you create a directory here for each actual user, and create a user-owned public_html directory within it, then you can make your symlinks from the "real" home directory to this location. Apache can happily operate on the assumption that ${HOME} for each user is /web/${USER}. Look for UserDir in the Apache config httpd.conf (for 1.3) or the httpd-userdir.conf file (for 2.2). Is there really no better way to do this...?!? Even easier is to simply set the default umask for your users (say to 077) in the system-wide shell initialization for your users' favourite shells. Then new files will be unreadable, and new directories unbrowsable. User "A" will be able to see if "B" has created a file in their home dir, but not what is in it, nor anything below the home directory point. This is what most systems do -- if people want their items completely private, they can put them in a sub-dir. Users can still "give away" privacy by resetting umask or using chmod, but they could do that in any case, if you allow more than one account per machine (or jail). Cheers, Andrew. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Restricting users to their own home directories / not letting users view other users files...?
On Feb 11, 2009, at 8:22 AM, Keith Palmer wrote: We have a FreeBSD server with multiple users. I would rather each user *not* be able to view other users' files via an SSH or SFTP session. i.e. if I'm logged in as "keith" I should *not* get a list of files when I do "ls /home/shannon" I realize I can fix this by setting the permissions on the "/home/ shannon" directory to 700. *However* then Apache (running as user "www") won't display the documents in "/home/shannon/public_html" from "http://ip-address/~shannon/";, instead returning a "403 Forbidden" error. This is an old, old problem; a reasonable solution is to create a $USER/private directory with 700 permissions for each user, and have them put anything which they consider "secret" under there. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Restricting users to their own home directories / not letting users view other users files...?
2009/2/11 Paul Schmehl : > --On Wednesday, February 11, 2009 12:38:33 -0600 Keith Palmer > wrote: > >> >> >> ... really? Write a script to copy the user's files over on a schedule...? >> >> I can see where that might be an option for some people, but that's >> entirely not an option in this case. I'd have to schedule it to run every >> 5 seconds or something to keep users from getting upset. >> >> >> What if I symlinked each home user's public_html directory to a directory >> readable only by Apache? Would Apache be able to read the destination >> directory via the symlink, even if it doesn't have permission to access >> the destination directory? >> > > Why can't you chgroup and setgid the homedirs to www? (Or whatever account > the web server is running under.) You really have two requirements: > > 1) Users can't see other users' files > 2) The web server can read all users' web files > > So you chmod the homedirs to 750/640, and chgroup the dirs and files to www, > then set the sticky bit for the group, and you're done. Seems to me that's > the simplest way to go about it. Setting the sticky bit ensures that any > new files created by a user will have www as the group. Sticky doesn't... it's sgid you want. Sticky means that only the creator (owner) can use unlink on the file. Chris -- R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. > (sendmail.cf) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Restricting users to their own home directories / not letting users view other users files...?
--On Wednesday, February 11, 2009 12:38:33 -0600 Keith Palmer wrote: ... really? Write a script to copy the user's files over on a schedule...? I can see where that might be an option for some people, but that's entirely not an option in this case. I'd have to schedule it to run every 5 seconds or something to keep users from getting upset. What if I symlinked each home user's public_html directory to a directory readable only by Apache? Would Apache be able to read the destination directory via the symlink, even if it doesn't have permission to access the destination directory? Why can't you chgroup and setgid the homedirs to www? (Or whatever account the web server is running under.) You really have two requirements: 1) Users can't see other users' files 2) The web server can read all users' web files So you chmod the homedirs to 750/640, and chgroup the dirs and files to www, then set the sticky bit for the group, and you're done. Seems to me that's the simplest way to go about it. Setting the sticky bit ensures that any new files created by a user will have www as the group. So chown -R someuser:www /home/someuser find /home/someuser -type d exec "chmod 2750 {}" \; find /home/someuser -type f exec "chomd 2640 {}" \; (Might have my syntax on the find command messed up a bit. Make sure to man that.) If your users have their webfiles in /home/someuser/public_html, then you only need to setgid that dir and its subdirs, no the user's homedir. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** Check the headers before clicking on Reply. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Restricting users to their own home directories / not letting users view other users files...?
On Wednesday 11 February 2009 07:22:17 Keith Palmer wrote: > OK, I'm sure this question has been asked a million times, but I havn't > been able to find a straight answer that actually solves the problem, so > here goes. > > We have a FreeBSD server with multiple users. I would rather each user > *not* be able to view other users' files via an SSH or SFTP session. i.e. > if I'm logged in as "keith" I should *not* get a list of files when I do > "ls /home/shannon" > > I realize I can fix this by setting the permissions on the "/home/shannon" > directory to 700. *However* then Apache (running as user "www") won't > display the documents in "/home/shannon/public_html" from > "http://ip-address/~shannon/";, instead returning a "403 Forbidden" error. > > > Sooo... how can I set this up so that users can't view other user's files, > but Apache still works? Your problem might be how they change the files, if via FTP, but... - Move the public_html dirs - chgrp www, chmod 640. - symlink in the home dir http://httpd.apache.org/docs/2.2/mod/mod_userdir.html#userdir Example: mkdir /var/userweb for USERDIR in /home/*; do if test -d ${USERDIR}/public_html; then destdir=/var/userweb/${USERDIR##/home/} mkdir ${destdir} mv ${USERDIR}/public_html ${destdir}/ ln -s ${destdir}/public_html ${USERDIR}/public_html chgrp -R www ${destdir}/public_html chmod -R u+w,g-w,o= ${destdir}/public_html fi done In httpd.conf: UserDir /var/userweb/*/public_html That said, I don't really understand your 'ls' paranoia. If you don't care about ls, you can set user's umask to 0027 and rechmod all files to 640. Have users in their own group and have */public_html group www. /home/username then has to have 755 in order for apache to get to public_html. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Restricting users to their own home directories / not letting users view other users files...?
On Wed, Feb 11, 2009 at 01:38:33PM -0500, Keith Palmer wrote: > > ... really? Write a script to copy the user's files over on a schedule...? > > I can see where that might be an option for some people, but that's > entirely not an option in this case. I'd have to schedule it to run every > 5 seconds or something to keep users from getting upset. Cron has a granularity of one minute. Otherwise you can write a simple script that calls rsync(1) every five seconds. At my ISP I can upload my website to my home directory, and then I have to execute a command to make my updates accessible from the outside. You could do something like that as well. > What if I symlinked each home user's public_html directory to a directory > readable only by Apache? Would Apache be able to read the destination > directory via the symlink, even if it doesn't have permission to access > the destination directory? Nope. You can't even make the symlink as a normal user: ($ = normal user, # = root) $ ls -ld /var/heimdal drwx-- 2 root wheel 512 Feb 11 19:45 /var/heimdal/ # fortune >/var/heimdal/foo $ ls -s /var/heimdal/foo foo ls: /var/heimdal/foo: Permission denied You can make the link as root, but you still can't use it: # ln -s /var/heimdal/foo foo # ll foo lrwxr-xr-x 1 root rsmith 16 Feb 11 19:50 foo@ -> /var/heimdal/foo $ cat foo cat: foo: Permission denied > Is there really no better way to do this...?!? - Try access control lists to give group WWW access (as mentioned). - Let them upload via FTP (I think most HTML editors support this). - Depending on the user's content you could make blogs of their sites? That way they can edit via the browser or their favorite blog posting software. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgp1qtK7MemZJ.pgp Description: PGP signature
Re: Restricting users to their own home directories / not letting users view other users files...?
... really? Write a script to copy the user's files over on a schedule...? I can see where that might be an option for some people, but that's entirely not an option in this case. I'd have to schedule it to run every 5 seconds or something to keep users from getting upset. What if I symlinked each home user's public_html directory to a directory readable only by Apache? Would Apache be able to read the destination directory via the symlink, even if it doesn't have permission to access the destination directory? Is there really no better way to do this...?!? -- - Keith Palmer ke...@academickeys.com http://www.AcademicKeys.com/ On Wed, February 11, 2009 1:18 pm, Roland Smith wrote: > On Wed, Feb 11, 2009 at 11:22:17AM -0500, Keith Palmer wrote: >> >> OK, I'm sure this question has been asked a million times, but I havn't >> been able to find a straight answer that actually solves the problem, so >> here goes. >> >> We have a FreeBSD server with multiple users. I would rather each user >> *not* be able to view other users' files via an SSH or SFTP session. >> i.e. >> if I'm logged in as "keith" I should *not* get a list of files when I do >> "ls /home/shannon" >> >> I realize I can fix this by setting the permissions on the >> "/home/shannon" >> directory to 700. *However* then Apache (running as user "www") won't >> display the documents in "/home/shannon/public_html" from >> "http://ip-address/~shannon/";, instead returning a "403 Forbidden" >> error. >> >> Sooo... how can I set this up so that users can't view other user's >> files, >> but Apache still works? > > Chmod the homedirs to 700. And write a script that copies the user's > html files/directories (if they have changed) to a location where apache > can access them. Run this script as a cronjob for root. > > Alternatively, maybe you could use ACLs to grant group www access of the > home directories. See setfacl(1). [I've never had the need to try this, > so I'm not sure]. > > Roland > -- > R.F.Smith http://www.xs4all.nl/~rsmith/ > [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] > pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Restricting users to their own home directories / not letting users view other users files...?
On Wed, Feb 11, 2009 at 11:22:17AM -0500, Keith Palmer wrote: > > OK, I'm sure this question has been asked a million times, but I havn't > been able to find a straight answer that actually solves the problem, so > here goes. > > We have a FreeBSD server with multiple users. I would rather each user > *not* be able to view other users' files via an SSH or SFTP session. i.e. > if I'm logged in as "keith" I should *not* get a list of files when I do > "ls /home/shannon" > > I realize I can fix this by setting the permissions on the "/home/shannon" > directory to 700. *However* then Apache (running as user "www") won't > display the documents in "/home/shannon/public_html" from > "http://ip-address/~shannon/";, instead returning a "403 Forbidden" error. > > Sooo... how can I set this up so that users can't view other user's files, > but Apache still works? Chmod the homedirs to 700. And write a script that copies the user's html files/directories (if they have changed) to a location where apache can access them. Run this script as a cronjob for root. Alternatively, maybe you could use ACLs to grant group www access of the home directories. See setfacl(1). [I've never had the need to try this, so I'm not sure]. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgptngsiYmeNb.pgp Description: PGP signature
Restricting users to their own home directories / not letting users view other users files...?
OK, I'm sure this question has been asked a million times, but I havn't been able to find a straight answer that actually solves the problem, so here goes. We have a FreeBSD server with multiple users. I would rather each user *not* be able to view other users' files via an SSH or SFTP session. i.e. if I'm logged in as "keith" I should *not* get a list of files when I do "ls /home/shannon" I realize I can fix this by setting the permissions on the "/home/shannon" directory to 700. *However* then Apache (running as user "www") won't display the documents in "/home/shannon/public_html" from "http://ip-address/~shannon/";, instead returning a "403 Forbidden" error. Sooo... how can I set this up so that users can't view other user's files, but Apache still works? I would prefer *not* to use jails, as it sounds like a lot of overhead and complicated to set up... is there another way? I've looked at rbash, but it looks like it disables a whole bunch of other stuff. My users still need a usable SSH shell. I've looked at rssh and scponly, but they seem to disallow SSH shell access completely. Thanks in advance! -- - Keith Palmer ke...@academickeys.com http://www.AcademicKeys.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"