Re: Users deleting public_html and log causing Apache to fail startup
On Fri, Jul 05, 2002 at 11:38:53AM +1000, Jason Lim wrote:
> > But won't "rmdir ." succeed if they are in the public_html directory?
[...]
> I was just thinking about (using your examples) making the htdocs and
> cgi-bin directories immutable (+i). However, I am not very familiar with
> using those "flags" so Im not certain as to what consequences that would
> have... making it immutable means that the directory won't be able to be
> deleted, but files CAN be added/deleted within the immutable directory
> directory, right?
I think the +t sticky bit is what you want. From the chmod man page;
STICKY DIRECTORIES
When the sticky bit is set on a directory, files in that
directory may only be unlinked or renamed by root or their
owner. (Without the sticky bit, anyone able to write to
the directory can delete or rename files.) ...
Given this, I would suggest something like this for an example user "abo";
minkirri:~$ dl
total 2
drwxrws--t 4 root abo 81 Jul 5 13:13 ./
drwxrwsrwx 6 root root 458 Jul 5 13:17 ../
drwxr-s--- 2 root abo 35 Jul 5 13:13 log/
drwxrwsr-x 2 root abo 35 Jul 5 13:13 public_html/
Note that ~ only allows "other" execute access. This allows apache to access
and serve ~/public_html, but no "other"s can list ~. The +t setting means
files in this directory can only be deleted/renamed by their owners. The g+s
settings are there to ensure files in these directories are group abo.
Note that ~, ~/log, and ~/public_html are root:abo. The group abo has
read/write access to ~/public_html, but because abo doesn't own it he can't
remove it. The group abo has only read access to ~/log and can't remove it
either.
--
----------------------------------------------------------------------
ABO: finger abo@minkirri.apana.org.au for more info, including pgp key
----------------------------------------------------------------------
--
To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: