Re: Restricting users to their own home directories / not letting users view other users files...?
Paul, Thanks so much, this solution works really well! It doesn't lock users out of the entire system, but it does ensure that users can't view other user's files via SFTP/SSH, which is fantastic. The actual syntax for setting the setgid bit on directories is: find /path/to/directory -type d -exec chmod g+s '{}' \; Thanks! -- - Keith Palmer ke...@academickeys.com http://www.AcademicKeys.com/ On Wed, February 11, 2009 2:23 pm, Paul Schmehl wrote: --On Wednesday, February 11, 2009 12:38:33 -0600 Keith Palmer ke...@academickeys.com wrote: ... really? Write a script to copy the user's files over on a schedule...? I can see where that might be an option for some people, but that's entirely not an option in this case. I'd have to schedule it to run every 5 seconds or something to keep users from getting upset. What if I symlinked each home user's public_html directory to a directory readable only by Apache? Would Apache be able to read the destination directory via the symlink, even if it doesn't have permission to access the destination directory? Why can't you chgroup and setgid the homedirs to www? (Or whatever account the web server is running under.) You really have two requirements: 1) Users can't see other users' files 2) The web server can read all users' web files So you chmod the homedirs to 750/640, and chgroup the dirs and files to www, then set the sticky bit for the group, and you're done. Seems to me that's the simplest way to go about it. Setting the sticky bit ensures that any new files created by a user will have www as the group. So chown -R someuser:www /home/someuser find /home/someuser -type d exec chmod 2750 {} \; find /home/someuser -type f exec chomd 2640 {} \; (Might have my syntax on the find command messed up a bit. Make sure to man that.) If your users have their webfiles in /home/someuser/public_html, then you only need to setgid that dir and its subdirs, no the user's homedir. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** Check the headers before clicking on Reply. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Restricting users to their own home directories / not letting users view other users files...?
Your other proposed solution results in the same situation, correct? No matter what, Apache needs read-access to any and all files, so no matter what PHP will have access to read any user's files. There's no way around that for a shared hosting situation that I know of... If you remove the groups write privs, then PHP scripts can't really do any damage at least. Your solution doesn't work because the user keith could still do a ls /home/shannon/public_html/ and get the directory listing (shannon's public_html directory is 0755, per your suggestion). Unless I'm missing something...? -- - Keith Palmer ke...@academickeys.com http://www.AcademicKeys.com/ On Thu, February 12, 2009 10:45 am, Uwe Laverenz wrote: On Thu, Feb 12, 2009 at 09:39:18AM -0500, Keith Palmer wrote: Thanks so much, this solution works really well! It doesn't lock users out of the entire system, but it does ensure that users can't view other user's files via SFTP/SSH, which is fantastic. This solution enforces the switch of all user directories to group www, which also means that any member of the group www gets access to these directories. This would be even more dangerous if your webserver runs with gid www and contains a php-module or something similar with a long tradition of security problems. Sorry, but you really, really should not do it this way. The sticky bit for group www on the public_html directories can be a good idea, though. bye, Uwe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Restricting users to their own home directories / not letting users view other users files...?
Ahhh... well, that's a considerably more verbose solution than your first solution. The groups are not the default FreeBSD groups, as I thought you were using. I will definitely check that out, thanks! I looked into restricted shells and such, but I couldn't find any documentation or information on that sort of stuff... -- - Keith Palmer ke...@academickeys.com http://www.AcademicKeys.com/ On Thu, February 12, 2009 11:48 am, Uwe Laverenz wrote: On Thu, Feb 12, 2009 at 11:04:59AM -0500, Keith Palmer wrote: Your other proposed solution results in the same situation, correct? No No, it doesn't. Let's assume shannon is in the login group users, her home directory would look like this: drwx-x 2 shannon users 512 Feb 12 17:19 shannon This ensures that apache can enter /home/shannon which is necessary because that's where public_html is. It is not possible for apache to read the contents of /home/shannon because 'r' is missing. This would achieve the goal that other users including apache can not read the contents of the home dir. Ok, now apache needs read only access to public_html, so I would set permissions this way (2750 shannon:www): drwxr-s--- 2 shannon www512 Feb 12 17:30 public_html All directories under public_html should also have these permissions, all files should have 0640 or 0644. This would achieve the goal that apache can read everything it needs to but nothing more. matter what, Apache needs read-access to any and all files, so no matter what PHP will have access to read any user's files. There's no way around that for a shared hosting situation that I know of... Sure there is: this way apache can not read any other files outside public_html. Your solution doesn't work because the user keith could still do a ls /home/shannon/public_html/ and get the directory listing (shannon's public_html directory is 0755, per your suggestion). Unless I'm missing something...? You don't have to set it to 0755. If you set it to 2750 keith can no longer see the files in shannon/public_html as long as he isn't member of group www. And even if their homedirs contain a folder that belongs to group www, they don't have to be members of www themselves. I don't now your environment, but there other ways of getting things more secure, such as the use of jails, restricting shell access or forcing the use of a restricted shell and so on. bye, Uwe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Restricting users to their own home directories / not letting users view other users files...?
OK, I'm sure this question has been asked a million times, but I havn't been able to find a straight answer that actually solves the problem, so here goes. We have a FreeBSD server with multiple users. I would rather each user *not* be able to view other users' files via an SSH or SFTP session. i.e. if I'm logged in as keith I should *not* get a list of files when I do ls /home/shannon I realize I can fix this by setting the permissions on the /home/shannon directory to 700. *However* then Apache (running as user www) won't display the documents in /home/shannon/public_html from http://ip-address/~shannon/;, instead returning a 403 Forbidden error. Sooo... how can I set this up so that users can't view other user's files, but Apache still works? I would prefer *not* to use jails, as it sounds like a lot of overhead and complicated to set up... is there another way? I've looked at rbash, but it looks like it disables a whole bunch of other stuff. My users still need a usable SSH shell. I've looked at rssh and scponly, but they seem to disallow SSH shell access completely. Thanks in advance! -- - Keith Palmer ke...@academickeys.com http://www.AcademicKeys.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Restricting users to their own home directories / not letting users view other users files...?
... really? Write a script to copy the user's files over on a schedule...? I can see where that might be an option for some people, but that's entirely not an option in this case. I'd have to schedule it to run every 5 seconds or something to keep users from getting upset. What if I symlinked each home user's public_html directory to a directory readable only by Apache? Would Apache be able to read the destination directory via the symlink, even if it doesn't have permission to access the destination directory? Is there really no better way to do this...?!? -- - Keith Palmer ke...@academickeys.com http://www.AcademicKeys.com/ On Wed, February 11, 2009 1:18 pm, Roland Smith wrote: On Wed, Feb 11, 2009 at 11:22:17AM -0500, Keith Palmer wrote: OK, I'm sure this question has been asked a million times, but I havn't been able to find a straight answer that actually solves the problem, so here goes. We have a FreeBSD server with multiple users. I would rather each user *not* be able to view other users' files via an SSH or SFTP session. i.e. if I'm logged in as keith I should *not* get a list of files when I do ls /home/shannon I realize I can fix this by setting the permissions on the /home/shannon directory to 700. *However* then Apache (running as user www) won't display the documents in /home/shannon/public_html from http://ip-address/~shannon/;, instead returning a 403 Forbidden error. Sooo... how can I set this up so that users can't view other user's files, but Apache still works? Chmod the homedirs to 700. And write a script that copies the user's html files/directories (if they have changed) to a location where apache can access them. Run this script as a cronjob for root. Alternatively, maybe you could use ACLs to grant group www access of the home directories. See setfacl(1). [I've never had the need to try this, so I'm not sure]. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org