Re: [gentoo-user] Apache + Per User Directory configuration
Hi Ognjen, on Monday, 2006-05-01 at 11:22:23, you wrote: I have spent most of the day getting per user web serving to work (/home/$user/public_html = http://server/~$user) but was constantly getting 401 Forbidden errors with apache2. After lots of hunting I found that you have to set the permissions for the user directories to 755 (a+rx). So now it works, but all the users can see each others home directories, which is unacceptable for this server. So I am here to ask if anyone cen recommend a more secure way of doing this. I My web server is still running an old SuSE system, but this should be basically the same. There are two ways to solve this. If you use the public_html subdirectory approach, $HOME only has to be o+x, so others can *enter* a user's directory but not *view* its contents. That should be acceptable if people use a safe umask. The reason we changed it a while ago was that we wanted to allow CGIs, at least for certain users some of which didn't know that much about input sanitizing 'n stuff, so a hacker could try to read other people's files by guessing their names---the web server would need access to the whole NFS-mounted parent of everybody's home. So now $HOME/public_html is just a link to /www/home/$USER which lives on the web server and is exported from there. That way a rogue CGI script could read other people's web pages which is far less critical. Of course you still have to check once in a while so you don't expose your passwd file or something. cheers! Matthias -- I prefer encrypted and signed messages. KeyID: FAC37665 Fingerprint: 8C16 3F0A A6FC DF0D 19B0 8DEF 48D9 1700 FAC3 7665 pgpALPfUNyEug.pgp Description: PGP signature
[gentoo-user] Apache + Per User Directory configuration
Hi, I have spent most of the day getting per user web serving to work (/home/$user/public_html = http://server/~$user) but was constantly getting 401 Forbidden errors with apache2. After lots of hunting I found that you have to set the permissions for the user directories to 755 (a+rx). So now it works, but all the users can see each others home directories, which is unacceptable (security wise) for this server. So I am here to ask if anyone cen recommend a more secure way of doing this. I want each users home directory readable only by that user (no other users) but that apache can still serve without a Forbidden error. Any tips appreciated, thanks! -- http://ziva-vatra.dnsalias.com/~ognen -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Apache + Per User Directory configuration
On Thursday 04 May 2006 21:17, Ognjen Bezanov wrote: Any tips appreciated, thanks! Yeah, read your email. You got 2 replies to this, one on Monday, one today. -- Mike Williams -- gentoo-user@gentoo.org mailing list
[gentoo-user] Apache + Per User Directory configuration
Hi, I have spent most of the day getting per user web serving to work (/home/$user/public_html = http://server/~$user) but was constantly getting 401 Forbidden errors with apache2. After lots of hunting I found that you have to set the permissions for the user directories to 755 (a+rx). So now it works, but all the users can see each others home directories, which is unacceptable for this server. So I am here to ask if anyone cen recommend a more secure way of doing this. I want each users home directory readable only by that user (no other users) but that apache can still serve without a Forbidden error. Any tips appreciated, thanks! -- http://ziva-vatra.dnsalias.com/~ognen -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Apache + Per User Directory configuration
On Monday 01 May 2006 12:22, Ognjen Bezanov wrote: I have spent most of the day getting per user web serving to work (/home/$user/public_html = http://server/~$user) but was constantly getting 401 Forbidden errors with apache2. After lots of hunting I found that you have to set the permissions for the user directories to 755 (a+rx). So now it works, but all the users can see each others home directories, which is unacceptable for this server. So I am here to ask if anyone cen recommend a more secure way of doing this. I want each users home directory readable only by that user (no other users) but that apache can still serve without a Forbidden error. Make all users part of the same group. Allow users (u) rwX, group (g) nothing, and others (o) rX, or u+rwX,g-rwx,o+rX. This allows everyone to read files and enter directories, except those in the same group. -- Mike Williams -- gentoo-user@gentoo.org mailing list