Re: Apache suEXEC Question
On Fri, Oct 12, 2001 at 01:45:00PM -0400, A.Sleep wrote:
> That's what I was thinking but this is also the first time the box
> hasn't been chroot'ed for users. The idea was to have non-world
> readable home dir's.
>
> There must be some way to do this. Is adding the www-data user into
> each new uesrs group the way to go? I'm still against NOT having a
> chroot'ed jail for the users but it's not my choice.
dunno if this is already what you were doing, but why not use proftpd
which can restrict users to their own home directory? it's not quite the
same as chroot (because you don't need to copy /etc, /usr/bin, /lib, and
so on into each home dir) but it gives a similar affect.
even better, staff accounts can be excluded from the restriction, with a
directive like this in /etc/proftpd.conf:
DefaultRoot ~ !staff
then add staff users to group 'staff'.
if you need to give users shell access (imo, a bad idea), then you can
use a shell like /bin/rbash (restricted bash) which prevents them from
changing out of their home directory or changing certain environment
variables like PATH, and restricts what executables they can run...it
doesn't stop them from referring to files outside their home dir if they
type in the full path, though - e.g. "less /home/otheruser/file.txt"
craig
--
craig sanders <cas@taz.net.au>
Fabricati Diem, PVNC.
-- motto of the Ankh-Morpork City Watch
Reply to: