On Thu, Jan 07, 2010 at 08:09:49AM -0800, Bob McGowan wrote: > Ken Teague wrote: > > On Wed, Jan 6, 2010 at 4:29 PM, green <greenfreedom10@gmail.com> wrote: > >> Okay, I was assuming recursion because I have a ~/public_html and symlinks from > >> it to other files scattered in my $HOME and so a "chmod 700 $HOME" would just > >> break stuff. Otherwise, just changing $HOME permissions is an excellent > >> solution. > > > > Great point. "chmod 700 $HOME" would make ~/public_html to be not so > > public, since, on a Debian box, apache runs under the www-data > > account. :) So, if Mr. Cohen has such a configuration, he would need > > to relocate his ~/public_html directory (along with all symlinked > > scripts or binaries) to a public location that can be accessed by the > > www-data account, and modify his apache configuration accordingly. I > > have an account on freeshell.net that is configured like this: > > > > [501]itsme@iceland:~$ ls -ld $HOME > > drwx------ 16 itsme arpa 1024 Oct 21 18:39 /arpa/nl/i/itsme > > [502]itsme@iceland:~$ ls -l html > > lrwx------ 1 itsme arpa 16 Jan 26 2009 html -> /www/am/i/itsme > > [503]itsme@iceland:~$ ls -ld /www/am/i/itsme > > drwxr-x--x 4 itsme nobody 512 Oct 30 19:37 /www/am/i/itsme > > > > This, to me, looks like the most elegant approach. > > > > Actually, this is the sort of situation where a $HOME permission of 711 > would be useful. Disallowing wild card based access but if the full > name is known, the file can be read (assuming it has the correct > permissions, of course). > > You could even go so far as to set the group ownership of $HOME to the > www-data group and set $HOME to be 710. A cleaner alternative is to use ACLs (package "acl"): % setfacl -m g:www-data:rx ~ ~/public_html % getfacl ~ ~/public_html getfacl: Removing leading '/' from absolute path names # file: home/rleigh # owner: rleigh # group: rleigh user::rwx group::r-x group:www-data:r-x mask::r-x other::r-x # file: home/rleigh/public_html # owner: rleigh # group: rleigh user::rwx group::r-x group:www-data:r-x mask::r-x other::r-x Note, you'll need to enable ACL support on your filesystem, e.g. by running "mount -o remount,acl /home" and/or setting the acl option in /etc/fstab. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
Attachment:
signature.asc
Description: Digital signature