Access Control Lists in Debian Lenny
https://stackoverflow.com/questions/1242030
-
12-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
So, for my clients to who have sites hosted on my server, I create user accounts, with standard home folders inside /home.
I setup an SSH jail for all the collective users, because I really am against using a separate FTP server. Then, I installed ACL and added acl to my /etc/fstab — all good.
- I cd into
/homeandchmod 700 ./*.- At this point users cannot see into other users home directories (yay), but apache can't see them either (boo)
- . I ran
setfacl u:www-data:rx ./*. I also tried individual directories. - Now apache can see the sites again, but so can all the users. ACL changed the permissions of the home folders to
750.
How do I setup ACL's so that Apache can see the sites hosted in user's home folders AND 2. Users can't see outside their home and into others' files.
Solution
Since I cross-posted the question (I didn't know about ServerFault until after I asked), I'll cross-post the answer, since I personally find the question to be appropriate for both communities.
hayalci's (on ServerFault) comment that
chmod and setfacl do not work too well together.
helped a good deal. Instead of using CHMOD to prevent other groups from accessing the data, I used:
cd /home
setfacl -m g::0 joeuser # Removes permissions for the owning group.
setfacl -m g:www-data:r joeuser # Adds read permissions for Apache
cd joeuser/joeuser.com/static/
setfacl -m g:www-data:rwx uploads # So apache can write to the uploads directory.
OTHER TIPS
One trick I've used on shared boxes is to:
recursively set the contents of the home directories to not allow access to "other" users
chmod -R o-rwx /home/*set all the top-level user's home directories permissions to be executable by "other" users
chmod o+x /home/*change each user's public_html directory group to www-data (or your apache group)
chgrp www-data /home/*/public_html
change all the directories under /home/*/public_html to be setgid
find /home/user/public_html -type d -exec chmod 2750 {} \;
Don't add any of the user's to the www-data (or apache group). Even though they aren't members, the setgid trick will still make the files readable by apache. It's not fullproof (moving files does not always change group owner and sometimes the other user permissions are left if present before a move) but it does work on my box. Hope this helps a little! Maybe someone else will have a better solution.
My typical way of doing it, assuming that all users are in the "users" group:
chmod 701 /home/*
chgrp users /home/*
Optionally do the same on /home itself to prevent users from seeing a list of home directories. However, they can pull almost the same list from /etc/passwd or getent passwd
Now everyone in the users group will be denied access to all homedirs (except their own). Non-members of users (such as Apache and other services) will still be able to cd into the homedirs, but will be unable to do ls.
chmod 755 /home/*/public_html <- Replace with whatever www path you use
Now Apache and other services will be free to cd /home/foobar/public_html to list files and whatever else a webserver needs.
