[thelist] linux: user / permission chaos

William Anderson neuro at well.com
Thu Apr 19 19:49:21 CDT 2001 

----- Original Message -----
From: "Joxn" <joxn at vernum.com>
To: "Mailinglist at lists.evolt.org :EVOLT" <thelist at lists.evolt.org>
Sent: Thursday, April 19, 2001 4:21 PM
Subject: [thelist] linux: user / permission chaos


> Hi,
> I've got some chaos concerning the user / permission on our RedHat
> server.
>
> I want to lock a user in his homedir eg. /home/userfoo/
>
> Our websites are in /home/sites/site01.com/ and so on.
>
> /home is owned by root and set to "drwxr-xr-x" - this way the sites work
> fine.
>
> However, if I set ".." in /home/userfoo/ to "drwx------" I actually
> change the setting of /home and the sites break, too.
>
> So how can I lock a user in his homedir without breaking the sites?

okaaaaaaay ...

let's deal with user 'jim', whose homedir is /home/jim, and user 'susan',
whose homedir is /home/susan.  the best way to very basically lock them out
to each other is to use 711 perms on their directories, that is drwx--x--x.
You can leave /home as 755 drwxr-xr-x or you can lock that down to 711 as
well if you like.  This allows programs, daemons and processes to 'see'
inside the directories if paths are fully specified, but does not allow
things like 'ls'.

so:

----[ let's login as root
intrepid:/home> su
Password:
----[ and we'll have a look in /home
intrepid:/home# ls -l
total 48
drwxr-xr-x    8 root     uucp         4096 Dec  6  1997 ftp
drwxr-xr-x    2 jim      users        4096 Apr 20 01:40 jim
drwxr-xr-x    2 root     root        16384 Dec 30 18:44 lost+found
drwxr-sr-x    2 mp3      mp3          4096 Apr 17 20:01 mp3
drwxr-sr-x    2 neuro    staff        4096 Dec 30 18:53 neuro
drwxr-xr-x    2 www-data staff        4096 Apr 20 01:41 sites
drwxrwsr-x    4 root     staff        4096 Jan  2 15:20 squid
drwxr-xr-x    5 root     root         4096 Apr  4 01:57 support
drwxr-xr-x    2 susan    users        4096 Apr 20 01:41 susan
----[ and we see jim and susan have homedirs - let's change their privs
intrepid:/home# chmod 711 jim
intrepid:/home# chmod 755 susan
----[ ok, jim should be drwx--x--x and susan should be drwxr-xr-x
----[ meaning jims dir is not immediately visible, but susans is
intrepid:/home# ls -ld jim susan
drwx--x--x    4 root     staff        4096 Apr 20 01:42 jim
drwxr-xr-x    4 root     staff        4096 Apr 20 01:42 susan
----[ yep, ok let's put some content in their directories ...
intrepid:/home# mkdir jim/fish
intrepid:/home# mkdir jim/cheese
intrepid:/home# mkdir susan/pages
intrepid:/home# mkdir susan/diary
----[ and we'll bug out of being root and look as a regular user
intrepid:/home# exit
intrepid:/home> ls -FC jim
ls: jim: Permission denied
intrepid:/home> ls -FC susan
diary/  pages/
----[ so jim's dirs are not visible, but susans are
intrepid:/home> ls -l sites
total 20
drwxr-sr-x    2 www-data staff        4096 Apr 20 01:41 www.chicken
drwxr-sr-x    2 www-data staff        4096 Apr 20 01:41 www.green
drwxr-sr-x    2 www-data staff        4096 Apr 20 01:41 www.jim
drwxr-sr-x    2 www-data staff        4096 Apr 20 01:41 www.pinhole
drwxr-sr-x    2 www-data staff        4096 Apr 20 01:41 www.susan
----[ and as a user, I can still see inside sites, which, to be honest
----[ could be set 755 or 711, and would still work, but as you mention
----[ correctly, setting /home as 700, or drwx------, would be catastrophic
----[ to the web server and users ... setting /home as 711 would stop users
----[ noseying around under /home as well :)

HTH

--
  ___  ___ __ _________ @well.com  William Anderson - www.well.com/~neuro
 / _ \/ -_) // / __/ _ \|     "All your base are belong to us. You are on
/_//_/\__/\_,_/_/  \___/|     the way to destruction." -- CATS, Zero Wing

More information about the thelist mailing list