Disallow other users from reading my $HOME
in [Debian]
|
From: Dotan Cohen on 7 Jan 2010 01:50 Thanks, all, there is no ~/public_html directory on this desktop system. I will simply chmod 700 $HOME. Thanks! -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
From: Bob McGowan on 7 Jan 2010 11:20 Ken Teague wrote: > On Wed, Jan 6, 2010 at 4:29 PM, green <greenfreedom10(a)gmail.com> wrote: >> Okay, I was assuming recursion because I have a ~/public_html and symlinks from >> it to other files scattered in my $HOME and so a "chmod 700 $HOME" would just >> break stuff. Otherwise, just changing $HOME permissions is an excellent >> solution. > > Great point. "chmod 700 $HOME" would make ~/public_html to be not so > public, since, on a Debian box, apache runs under the www-data > account. :) So, if Mr. Cohen has such a configuration, he would need > to relocate his ~/public_html directory (along with all symlinked > scripts or binaries) to a public location that can be accessed by the > www-data account, and modify his apache configuration accordingly. I > have an account on freeshell.net that is configured like this: > > [501]itsme(a)iceland:~$ ls -ld $HOME > drwx------ 16 itsme arpa 1024 Oct 21 18:39 /arpa/nl/i/itsme > [502]itsme(a)iceland:~$ ls -l html > lrwx------ 1 itsme arpa 16 Jan 26 2009 html -> /www/am/i/itsme > [503]itsme(a)iceland:~$ ls -ld /www/am/i/itsme > drwxr-x--x 4 itsme nobody 512 Oct 30 19:37 /www/am/i/itsme > > This, to me, looks like the most elegant approach. > Actually, this is the sort of situation where a $HOME permission of 711 would be useful. Disallowing wild card based access but if the full name is known, the file can be read (assuming it has the correct permissions, of course). You could even go so far as to set the group ownership of $HOME to the www-data group and set $HOME to be 710. -- Bob McGowan -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
From: Roger Leigh on 7 Jan 2010 11:50 On Thu, Jan 07, 2010 at 08:09:49AM -0800, Bob McGowan wrote: > Ken Teague wrote: > > On Wed, Jan 6, 2010 at 4:29 PM, green <greenfreedom10(a)gmail.com> wrote: > >> Okay, I was assuming recursion because I have a ~/public_html and symlinks from > >> it to other files scattered in my $HOME and so a "chmod 700 $HOME" would just > >> break stuff. Otherwise, just changing $HOME permissions is an excellent > >> solution. > > > > Great point. "chmod 700 $HOME" would make ~/public_html to be not so > > public, since, on a Debian box, apache runs under the www-data > > account. :) So, if Mr. Cohen has such a configuration, he would need > > to relocate his ~/public_html directory (along with all symlinked > > scripts or binaries) to a public location that can be accessed by the > > www-data account, and modify his apache configuration accordingly. I > > have an account on freeshell.net that is configured like this: > > > > [501]itsme(a)iceland:~$ ls -ld $HOME > > drwx------ 16 itsme arpa 1024 Oct 21 18:39 /arpa/nl/i/itsme > > [502]itsme(a)iceland:~$ ls -l html > > lrwx------ 1 itsme arpa 16 Jan 26 2009 html -> /www/am/i/itsme > > [503]itsme(a)iceland:~$ ls -ld /www/am/i/itsme > > drwxr-x--x 4 itsme nobody 512 Oct 30 19:37 /www/am/i/itsme > > > > This, to me, looks like the most elegant approach. > > > > Actually, this is the sort of situation where a $HOME permission of 711 > would be useful. Disallowing wild card based access but if the full > name is known, the file can be read (assuming it has the correct > permissions, of course). > > You could even go so far as to set the group ownership of $HOME to the > www-data group and set $HOME to be 710. A cleaner alternative is to use ACLs (package "acl"): % setfacl -m g:www-data:rx ~ ~/public_html % getfacl ~ ~/public_html getfacl: Removing leading '/' from absolute path names # file: home/rleigh # owner: rleigh # group: rleigh user::rwx group::r-x group:www-data:r-x mask::r-x other::r-x # file: home/rleigh/public_html # owner: rleigh # group: rleigh user::rwx group::r-x group:www-data:r-x mask::r-x other::r-x Note, you'll need to enable ACL support on your filesystem, e.g. by running "mount -o remount,acl /home" and/or setting the acl option in /etc/fstab. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
From: Tom Furie on 7 Jan 2010 14:00 On Thu, Jan 07, 2010 at 08:09:49AM -0800, Bob McGowan wrote: > Ken Teague wrote: > > > > [501]itsme(a)iceland:~$ ls -ld $HOME > > drwx------ 16 itsme arpa 1024 Oct 21 18:39 /arpa/nl/i/itsme > > [502]itsme(a)iceland:~$ ls -l html > > lrwx------ 1 itsme arpa 16 Jan 26 2009 html -> /www/am/i/itsme > > [503]itsme(a)iceland:~$ ls -ld /www/am/i/itsme > > drwxr-x--x 4 itsme nobody 512 Oct 30 19:37 /www/am/i/itsme > > > > This, to me, looks like the most elegant approach. > > > > Actually, this is the sort of situation where a $HOME permission of 711 > would be useful. Disallowing wild card based access but if the full > name is known, the file can be read (assuming it has the correct > permissions, of course). > > You could even go so far as to set the group ownership of $HOME to the > www-data group and set $HOME to be 710. The way I have it set up is $HOME has rwxr-x--x, public_html has rwxr-s--- chgrp'd to www-data. Most of my files are rw-------, except where group read is required, files that fall into that category are usually located in other directories with relevant permissions set up. I suppose by now we should really be using acl's though. Cheers, Tom -- You may be right, I may be crazy, But it just may be a lunatic you're looking for! -- Billy Joel
From: Joey Hess on 7 Jan 2010 16:20
Roger Leigh wrote: > % setfacl -m g:www-data:rx ~ ~/public_html Many web servers are configured to run user-supplied CGI scripts as www-data, so this approach is not particularly secure. -- see shy jo |