List Info

Thread: file permissions
file permissions
user name
 2006-09-07 15:33:38 
Oliver,

I'm not sure what the best way to handle you're file
permission issue
is.  The best I can do is offer to you what I would do.

(The following assumes that you're not interested in
figuring out how
to compile ACLs into Linux and using them instead.  They are
very
flexible, but the downside is they are a pain to get up and
working in
Linux currently.  You can google "Linux ACL" for
more information or
check out the wikipedia article on ACLs
http
://en.wikipedia.org/wiki/Access_control_list).

For each user, I would create a unique group.  So that if
you had
users Oliver, Bob, and Alice you would have groups Oliver,
Bob, and
Alice.  Then I would assign the apache user to each of those
groups.
Then each user's home directory would be owned by the user
and their
unique group.  And permissions would be assigned based on
whether you
want to give apache read or right access to files...

chown -R Oliver:Oliver /home/Oliver
chmod -R 750 /home/Oliver

The above would grant a default access of read to the apache
user
allowing web pages to be displayed.  For files that need to
be
writable by the web server you could grant 660 or 770.  Not
that this
also defaults to completely removing "other"
access by other users.

This probably isn't optimal if you have a large number of
users, but
it at allows a fine level of control over who can access
what....

Good Luck,
Vinny

P.S.  The geeklog-security mailing list is for bugs and
security
problems in the Geeklog code base.  Questions about
configuration
(even security configuration) should probably be sent to
geeklog-users
(that also alows a much wider audience to answer your
questions).  You
also might get a bigger response by posting this question to
ghe
Geeklog.net forums.

On 9/7/06, Oliver Spiesshofer <oliverspiesshofer.com> wrote:
> Hi all,
>
> I hope this is not too generic, but I have a question
about file
> permissions:
>
> I have a server with several users having homepages on
them.
> The structure is normally as such (lets call the user
oliver):
>
> /home/oliver/public_html/index.php <- server root
> /home/oliver/geeklog/config.php <- GL backend
> /home/nextuser/... etc
>
> now currently all users are accessing their files via
FTP, locked into
> their folder. I would like to get rid of FTP and use
only SSH/WinSCP
>
> For this however, I want that they are only able to
access their own
> user dir and not those of others. At the same time, of
course, apache
> has to be able to access all home dirs, and the setup
has to be secure
> to the outside (the web)
>
> so I was hanging around on #gentoo at freenode for 1-2
hours to get a
> solution but finally I am not sure if its the best:
>
> given things:
> 1. all users are in the "users"-group, and
no other
> 2. apache is in the "apache"group, no
other.
>
> So the principle was, as a clean setup:
>
> // only allow RW for the user, nothing for group &
others
> chmod -R u+rw-x,go-rwx /home/oliver
> // owners are user:users
> chown -R oliver:users /home/oliver
> // the home directory and the public_html need 701
> chmod 701 /home/oliver
> chmod 701 /home/oliver/public_html
> // change all folders in public so others can execute
> find /home/oliver -type d | xargs chmod o+x-rw
> // change all files in public_html so others can read
> find /home/oliver/public_html -type f | xargs chmod
o+r-wx
>
> now my worry is the following:
> 1. for the backend, that does not work. I need o+r
there also
> 2. I have to give o+w to the backend, isnt that
insecure?
>
> what would be the ideal setup?
>
> thanks
>
> Oliver
> _______________________________________________
> geeklog-security mailing list
> geeklog-securitylists.geeklog.net
> http://lists.geeklog.net/mailman/listinfo/geeklog-secu
rity
>
_______________________________________________
geeklog-users mailing list
geeklog-userslists.geeklog.net
http://lists.geeklog.net/mailman/listinfo/geeklog-users
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )