/home layout and permissions

To: debian-user@lists.debian.org
Subject: /home layout and permissions
From: Ivan Shmakov <ivan@gray.siamics.net>
Date: Sat, 24 Sep 2011 16:33:52 +0700
Message-id: <[🔎] 86wrcyjncv.fsf_-_@gray.siamics.net>
Reply-to: Ivan Shmakov <oneingray@gmail.com>
References: <[🔎] CABWh29kUfd_rFF84Rd0RnT+QXoeZQmWKxEsMnRKauf+VV3FBJQ@mail.gmail.com> <[🔎] 87obyaifii.fsf@turtle.gmx.de>

>>>>> Sven Joachim <svenjoac@gmx.de> writes:
>>>>> On 2011-09-24 08:21 +0200, Mark Panen wrote:

	[A kind of follow-up to an old news:comp.unix.shell thread [1].]

[1] news:87pr9pzgjl.fsf_-_@violet.siamics.ipv6.uusia.org
    From: Ivan Shmakov <oneingray@gmail.com>
    Newsgroups: comp.unix.shell
    Subject: non-FHS hierarchies: /var/home, /var/public, /var/public/storage
    Date: Thu, 17 Sep 2009 23:23:26 +0700
    (Somehow, Google Groups knows nothing about it.)

 >> What is the out the box permissions for /home/* on Squeeze?

 > 0755, adjust the DIR_MODE variable in /etc/adduser.conf if you like
 > to change that.

	My current preference is to have the following layout under
	/home:

    /home
    |-- …
    |-- private
    |   |-- …
    |   `-- users
    |       `-- USERNAME        — user's home directory (mode: 0700);
    `-- public
        |-- …
        |-- users
        |   `-- USERNAME        — user's public directory (0755);
        `-- storage
            |-- …
            `-- users
                `-- USERNAME    — user's “storage” directory (0755.)

	(As could be seen from the above, I no longer advocate the use
	of a single filesystem for all the variable content; I now
	prefer to use separate filesystems for /var and /home.)

	In principle, the arrangement above could be extended with some
	‘groups’ directories as well, though it seems to me that the
	concurrent access may generally be error-prone.

	For the “hardlinks” to work, it's advisable for /home/private/
	and /home/public/ to share a single filesystem.

	The storage/ hierarchy (residing on a separate filesystem) is
	indented for the (typically larger) content of lower backup
	priority.  There, one could put, e. g., the copies of anything
	readily available for download over Internet.

	It a typical setup, the public/users/ directories will also be
	accessible via HTTP (via Apache's mod_userdir; with UserDir set
	to /home/public/users/.)  If CGI is also desired, a
	‘public_html’ link pointing to the respective public/users/
	directory could be put into the user's home directory, in order
	to satisfy the suexec(8)'s constraints.  (FWIW, I prefer to have
	an HTTP server installed on all the hosts, unless there's a very
	good reason not to install it.)

--cut: /etc/apache2/sites-available/example --
    <IfModule mod_userdir.c>
        UserDir /home/public/users
    </IfModule>
    <Directory /home/public/users>
        AllowOverride FileInfo Indexes AuthConfig Limit
        Options Indexes ExecCGI SymLinksIfOwnerMatch IncludesNoExec
    </Directory>
--cut: /etc/apache2/sites-available/example --

	It's also an option to have /home/public/ accessible via Rsync
	just as well, but it should be noted that while user can easily
	control HTTP access by placing .htaccess files where necessary,
	Rsync couldn't be controlled in such a way.

--cut: /etc/rsyncd.conf --
[public]
	path		= /home/public
	comment		= Public directory
--cut: /etc/rsyncd.conf --

-- 
FSF associate member #7257

Reply to:

References:
- Out the box permissions for /home/*
  - From: Mark Panen <mark.panen@gmail.com>
- Re: Out the box permissions for /home/*
  - From: Sven Joachim <svenjoac@gmx.de>

Prev by Date: Re: degraded RAID array on squeeze
Next by Date: Re: degraded RAID array on squeeze
Previous by thread: Re: Out the box permissions for /home/*
Next by thread: Re: How to lock packages to protect
Index(es):
- Date
- Thread