[thelist] linux: user / permission chaos
sulasmin suruji
sazmin_alyin at yahoo.com
Fri Apr 20 02:49:24 CDT 2001
--- William Anderson <neuro at well.com> wrote:
> ----- Original Message -----
> From: "Joxn" <joxn at vernum.com>
> To: "Mailinglist at lists.evolt.org :EVOLT"
> <thelist at lists.evolt.org>
> Sent: Thursday, April 19, 2001 4:21 PM
> Subject: [thelist] linux: user / permission chaos
>
>
> > Hi,
> > I've got some chaos concerning the user /
> permission on our RedHat
> > server.
> >
> > I want to lock a user in his homedir eg.
> /home/userfoo/
> >
> > Our websites are in /home/sites/site01.com/ and so
> on.
> >
> > /home is owned by root and set to "drwxr-xr-x" -
> this way the sites work
> > fine.
> >
> > However, if I set ".." in /home/userfoo/ to
> "drwx------" I actually
> > change the setting of /home and the sites break,
> too.
> >
> > So how can I lock a user in his homedir without
> breaking the sites?
>
> okaaaaaaay ...
>
> let's deal with user 'jim', whose homedir is
> /home/jim, and user 'susan',
> whose homedir is /home/susan. the best way to very
> basically lock them out
> to each other is to use 711 perms on their
> directories, that is drwx--x--x.
> You can leave /home as 755 drwxr-xr-x or you can
> lock that down to 711 as
> well if you like. This allows programs, daemons and
> processes to 'see'
> inside the directories if paths are fully specified,
> but does not allow
> things like 'ls'.
>
> so:
>
> ----[ let's login as root
> intrepid:/home> su
> Password:
> ----[ and we'll have a look in /home
> intrepid:/home# ls -l
> total 48
> drwxr-xr-x 8 root uucp 4096 Dec 6
> 1997 ftp
> drwxr-xr-x 2 jim users 4096 Apr 20
> 01:40 jim
> drwxr-xr-x 2 root root 16384 Dec 30
> 18:44 lost+found
> drwxr-sr-x 2 mp3 mp3 4096 Apr 17
> 20:01 mp3
> drwxr-sr-x 2 neuro staff 4096 Dec 30
> 18:53 neuro
> drwxr-xr-x 2 www-data staff 4096 Apr 20
> 01:41 sites
> drwxrwsr-x 4 root staff 4096 Jan 2
> 15:20 squid
> drwxr-xr-x 5 root root 4096 Apr 4
> 01:57 support
> drwxr-xr-x 2 susan users 4096 Apr 20
> 01:41 susan
> ----[ and we see jim and susan have homedirs - let's
> change their privs
> intrepid:/home# chmod 711 jim
> intrepid:/home# chmod 755 susan
> ----[ ok, jim should be drwx--x--x and susan should
> be drwxr-xr-x
> ----[ meaning jims dir is not immediately visible,
> but susans is
> intrepid:/home# ls -ld jim susan
> drwx--x--x 4 root staff 4096 Apr 20
> 01:42 jim
> drwxr-xr-x 4 root staff 4096 Apr 20
> 01:42 susan
> ----[ yep, ok let's put some content in their
> directories ...
> intrepid:/home# mkdir jim/fish
> intrepid:/home# mkdir jim/cheese
> intrepid:/home# mkdir susan/pages
> intrepid:/home# mkdir susan/diary
> ----[ and we'll bug out of being root and look as a
> regular user
> intrepid:/home# exit
> intrepid:/home> ls -FC jim
> ls: jim: Permission denied
> intrepid:/home> ls -FC susan
> diary/ pages/
> ----[ so jim's dirs are not visible, but susans are
> intrepid:/home> ls -l sites
> total 20
> drwxr-sr-x 2 www-data staff 4096 Apr 20
> 01:41 www.chicken
> drwxr-sr-x 2 www-data staff 4096 Apr 20
> 01:41 www.green
> drwxr-sr-x 2 www-data staff 4096 Apr 20
> 01:41 www.jim
> drwxr-sr-x 2 www-data staff 4096 Apr 20
> 01:41 www.pinhole
> drwxr-sr-x 2 www-data staff 4096 Apr 20
> 01:41 www.susan
> ----[ and as a user, I can still see inside sites,
> which, to be honest
> ----[ could be set 755 or 711, and would still work,
> but as you mention
> ----[ correctly, setting /home as 700, or
> drwx------, would be catastrophic
> ----[ to the web server and users ... setting /home
> as 711 would stop users
> ----[ noseying around under /home as well :)
>
> HTH
>
> --
> ___ ___ __ _________ @well.com William Anderson
> - www.well.com/~neuro
> / _ \/ -_) // / __/ _ \| "All your base are
> belong to us. You are on
> /_//_/\__/\_,_/_/ \___/| the way to
> destruction." -- CATS, Zero Wing
>
>
> ---------------------------------------
> For unsubscribe and other options, including
> the Tip Harvester and archive of TheList go to:
> http://lists.evolt.org Workers of the Web, evolt !
__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
More information about the thelist
mailing list