From: Dotan Cohen on
Thanks, all, there is no ~/public_html directory on this desktop
system. I will simply chmod 700 $HOME. Thanks!

--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il


--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
From: Bob McGowan on
Ken Teague wrote:
> On Wed, Jan 6, 2010 at 4:29 PM, green <greenfreedom10(a)gmail.com> wrote:
>> Okay, I was assuming recursion because I have a ~/public_html and symlinks from
>> it to other files scattered in my $HOME and so a "chmod 700 $HOME" would just
>> break stuff. Otherwise, just changing $HOME permissions is an excellent
>> solution.
>
> Great point. "chmod 700 $HOME" would make ~/public_html to be not so
> public, since, on a Debian box, apache runs under the www-data
> account. :) So, if Mr. Cohen has such a configuration, he would need
> to relocate his ~/public_html directory (along with all symlinked
> scripts or binaries) to a public location that can be accessed by the
> www-data account, and modify his apache configuration accordingly. I
> have an account on freeshell.net that is configured like this:
>
> [501]itsme(a)iceland:~$ ls -ld $HOME
> drwx------ 16 itsme arpa 1024 Oct 21 18:39 /arpa/nl/i/itsme
> [502]itsme(a)iceland:~$ ls -l html
> lrwx------ 1 itsme arpa 16 Jan 26 2009 html -> /www/am/i/itsme
> [503]itsme(a)iceland:~$ ls -ld /www/am/i/itsme
> drwxr-x--x 4 itsme nobody 512 Oct 30 19:37 /www/am/i/itsme
>
> This, to me, looks like the most elegant approach.
>

Actually, this is the sort of situation where a $HOME permission of 711
would be useful. Disallowing wild card based access but if the full
name is known, the file can be read (assuming it has the correct
permissions, of course).

You could even go so far as to set the group ownership of $HOME to the
www-data group and set $HOME to be 710.

--
Bob McGowan


--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
From: Roger Leigh on
On Thu, Jan 07, 2010 at 08:09:49AM -0800, Bob McGowan wrote:
> Ken Teague wrote:
> > On Wed, Jan 6, 2010 at 4:29 PM, green <greenfreedom10(a)gmail.com> wrote:
> >> Okay, I was assuming recursion because I have a ~/public_html and symlinks from
> >> it to other files scattered in my $HOME and so a "chmod 700 $HOME" would just
> >> break stuff. Otherwise, just changing $HOME permissions is an excellent
> >> solution.
> >
> > Great point. "chmod 700 $HOME" would make ~/public_html to be not so
> > public, since, on a Debian box, apache runs under the www-data
> > account. :) So, if Mr. Cohen has such a configuration, he would need
> > to relocate his ~/public_html directory (along with all symlinked
> > scripts or binaries) to a public location that can be accessed by the
> > www-data account, and modify his apache configuration accordingly. I
> > have an account on freeshell.net that is configured like this:
> >
> > [501]itsme(a)iceland:~$ ls -ld $HOME
> > drwx------ 16 itsme arpa 1024 Oct 21 18:39 /arpa/nl/i/itsme
> > [502]itsme(a)iceland:~$ ls -l html
> > lrwx------ 1 itsme arpa 16 Jan 26 2009 html -> /www/am/i/itsme
> > [503]itsme(a)iceland:~$ ls -ld /www/am/i/itsme
> > drwxr-x--x 4 itsme nobody 512 Oct 30 19:37 /www/am/i/itsme
> >
> > This, to me, looks like the most elegant approach.
> >
>
> Actually, this is the sort of situation where a $HOME permission of 711
> would be useful. Disallowing wild card based access but if the full
> name is known, the file can be read (assuming it has the correct
> permissions, of course).
>
> You could even go so far as to set the group ownership of $HOME to the
> www-data group and set $HOME to be 710.

A cleaner alternative is to use ACLs (package "acl"):

% setfacl -m g:www-data:rx ~ ~/public_html

% getfacl ~ ~/public_html
getfacl: Removing leading '/' from absolute path names
# file: home/rleigh
# owner: rleigh
# group: rleigh
user::rwx
group::r-x
group:www-data:r-x
mask::r-x
other::r-x

# file: home/rleigh/public_html
# owner: rleigh
# group: rleigh
user::rwx
group::r-x
group:www-data:r-x
mask::r-x
other::r-x

Note, you'll need to enable ACL support on your filesystem,
e.g. by running "mount -o remount,acl /home" and/or setting
the acl option in /etc/fstab.


Regards,
Roger

--
.''`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/
`- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
From: Tom Furie on
On Thu, Jan 07, 2010 at 08:09:49AM -0800, Bob McGowan wrote:
> Ken Teague wrote:
> >
> > [501]itsme(a)iceland:~$ ls -ld $HOME
> > drwx------ 16 itsme arpa 1024 Oct 21 18:39 /arpa/nl/i/itsme
> > [502]itsme(a)iceland:~$ ls -l html
> > lrwx------ 1 itsme arpa 16 Jan 26 2009 html -> /www/am/i/itsme
> > [503]itsme(a)iceland:~$ ls -ld /www/am/i/itsme
> > drwxr-x--x 4 itsme nobody 512 Oct 30 19:37 /www/am/i/itsme
> >
> > This, to me, looks like the most elegant approach.
> >
>
> Actually, this is the sort of situation where a $HOME permission of 711
> would be useful. Disallowing wild card based access but if the full
> name is known, the file can be read (assuming it has the correct
> permissions, of course).
>
> You could even go so far as to set the group ownership of $HOME to the
> www-data group and set $HOME to be 710.

The way I have it set up is $HOME has rwxr-x--x, public_html has
rwxr-s--- chgrp'd to www-data. Most of my files are rw-------, except
where group read is required, files that fall into that category are
usually located in other directories with relevant permissions set up.
I suppose by now we should really be using acl's though.

Cheers,
Tom

--
You may be right, I may be crazy,
But it just may be a lunatic you're looking for!
-- Billy Joel
From: Joey Hess on
Roger Leigh wrote:
> % setfacl -m g:www-data:rx ~ ~/public_html

Many web servers are configured to run user-supplied CGI scripts as
www-data, so this approach is not particularly secure.

--
see shy jo