[ale] Multi-user web server permissions

Brandon Checketts brandon at brandonchecketts.com
Fri May 1 10:18:53 EDT 2009 

There is no perfect way to do this that I know of.   What I typically do
is to put each user in his own group.  Then set all of the permissions
in their home dir to 750 add the web server user (ie: apache or httpd)
to that user's group.

The commands would be something like this (note that these exact
commands will destroy any existing permissions, so this could be bad if
your sites need anything special)

# chown -R /home/someuser someuser:someuser
# chmod -R 750 /home/someuser
# lgroupmod --member-add=someuser apache

That should limit one users ability to read other people's files when
doing anything that depends on system permissions like SSH and FTP.


Another alternative is chrooting SSH and FTP sessions.  Most FTP servers
do this easy enough with one or two lines in a config file.  SSH is a
bit more complicated, but I have had good luck with jailkit
(olivier.sessink.nl/jailkit/) to successfully jail SSH/SCP/SFTP users.



However, the larger problem arises when accessing files through Apache.
 Since the web server has to be able to read files from any directory
(ie: that is the whole point), it is not difficult for one user to
create a PHP or CGI script that can read anybody else's files when
accessed through the web server.   There are some attempts at
controlling this, but none that I really like (ie: suexec and running
PHP in CGI mode).


I'd be interested if anybody has some more elegant solutions to the
latter problem.

Thanks,
Brandon Checketts





David M Lemcoe Jr. wrote:
> Hello hello.
> 
> I currently have a server with about 15 people that have domains on
> it. When playing around in SSH, I noticed that if I ssh as a user that
> was not in his own directory, I could change, edit, and view his files.
> 
> What permissions do I need to set in order for other users not to be
> able to access others' files, but let Apache access them.
> 
> It would make sense to first chown the directory, put all the web
> server users in a group, and chmod everything 707.
> 
> Apparently this doesn't work.
> 
> How would you all recommend I do this?
> 
> Thank you!
> 
> David

_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale

More information about the Ale mailing list