On Thu, Jan 07, 2010 at 08:09:49AM -0800, Bob McGowan wrote: > Ken Teague wrote: > > > > [501]itsme@iceland:~$ ls -ld $HOME > > drwx------ 16 itsme arpa 1024 Oct 21 18:39 /arpa/nl/i/itsme > > [502]itsme@iceland:~$ ls -l html > > lrwx------ 1 itsme arpa 16 Jan 26 2009 html -> /www/am/i/itsme > > [503]itsme@iceland:~$ ls -ld /www/am/i/itsme > > drwxr-x--x 4 itsme nobody 512 Oct 30 19:37 /www/am/i/itsme > > > > This, to me, looks like the most elegant approach. > > > > Actually, this is the sort of situation where a $HOME permission of 711 > would be useful. Disallowing wild card based access but if the full > name is known, the file can be read (assuming it has the correct > permissions, of course). > > You could even go so far as to set the group ownership of $HOME to the > www-data group and set $HOME to be 710. The way I have it set up is $HOME has rwxr-x--x, public_html has rwxr-s--- chgrp'd to www-data. Most of my files are rw-------, except where group read is required, files that fall into that category are usually located in other directories with relevant permissions set up. I suppose by now we should really be using acl's though. Cheers, Tom -- You may be right, I may be crazy, But it just may be a lunatic you're looking for! -- Billy Joel
Attachment:
signature.asc
Description: Digital signature