[thelist] linux: user / permission chaos

sulasmin suruji sazmin_alyin at yahoo.com
Fri Apr 20 02:49:24 CDT 2001 

--- William Anderson <neuro at well.com> wrote:
> ----- Original Message -----
> From: "Joxn" <joxn at vernum.com>
> To: "Mailinglist at lists.evolt.org :EVOLT"
> <thelist at lists.evolt.org>
> Sent: Thursday, April 19, 2001 4:21 PM
> Subject: [thelist] linux: user / permission chaos
> 
> 
> > Hi,
> > I've got some chaos concerning the user /
> permission on our RedHat
> > server.
> >
> > I want to lock a user in his homedir eg.
> /home/userfoo/
> >
> > Our websites are in /home/sites/site01.com/ and so
> on.
> >
> > /home is owned by root and set to "drwxr-xr-x" -
> this way the sites work
> > fine.
> >
> > However, if I set ".." in /home/userfoo/ to
> "drwx------" I actually
> > change the setting of /home and the sites break,
> too.
> >
> > So how can I lock a user in his homedir without
> breaking the sites?
> 
> okaaaaaaay ...
> 
> let's deal with user 'jim', whose homedir is
> /home/jim, and user 'susan',
> whose homedir is /home/susan.  the best way to very
> basically lock them out
> to each other is to use 711 perms on their
> directories, that is drwx--x--x.
> You can leave /home as 755 drwxr-xr-x or you can
> lock that down to 711 as
> well if you like.  This allows programs, daemons and
> processes to 'see'
> inside the directories if paths are fully specified,
> but does not allow
> things like 'ls'.
> 
> so:
> 
> ----[ let's login as root
> intrepid:/home> su
> Password:
> ----[ and we'll have a look in /home
> intrepid:/home# ls -l
> total 48
> drwxr-xr-x    8 root     uucp         4096 Dec  6 
> 1997 ftp
> drwxr-xr-x    2 jim      users        4096 Apr 20
> 01:40 jim
> drwxr-xr-x    2 root     root        16384 Dec 30
> 18:44 lost+found
> drwxr-sr-x    2 mp3      mp3          4096 Apr 17
> 20:01 mp3
> drwxr-sr-x    2 neuro    staff        4096 Dec 30
> 18:53 neuro
> drwxr-xr-x    2 www-data staff        4096 Apr 20
> 01:41 sites
> drwxrwsr-x    4 root     staff        4096 Jan  2
> 15:20 squid
> drwxr-xr-x    5 root     root         4096 Apr  4
> 01:57 support
> drwxr-xr-x    2 susan    users        4096 Apr 20
> 01:41 susan
> ----[ and we see jim and susan have homedirs - let's
> change their privs
> intrepid:/home# chmod 711 jim
> intrepid:/home# chmod 755 susan
> ----[ ok, jim should be drwx--x--x and susan should
> be drwxr-xr-x
> ----[ meaning jims dir is not immediately visible,
> but susans is
> intrepid:/home# ls -ld jim susan
> drwx--x--x    4 root     staff        4096 Apr 20
> 01:42 jim
> drwxr-xr-x    4 root     staff        4096 Apr 20
> 01:42 susan
> ----[ yep, ok let's put some content in their
> directories ...
> intrepid:/home# mkdir jim/fish
> intrepid:/home# mkdir jim/cheese
> intrepid:/home# mkdir susan/pages
> intrepid:/home# mkdir susan/diary
> ----[ and we'll bug out of being root and look as a
> regular user
> intrepid:/home# exit
> intrepid:/home> ls -FC jim
> ls: jim: Permission denied
> intrepid:/home> ls -FC susan
> diary/  pages/
> ----[ so jim's dirs are not visible, but susans are
> intrepid:/home> ls -l sites
> total 20
> drwxr-sr-x    2 www-data staff        4096 Apr 20
> 01:41 www.chicken
> drwxr-sr-x    2 www-data staff        4096 Apr 20
> 01:41 www.green
> drwxr-sr-x    2 www-data staff        4096 Apr 20
> 01:41 www.jim
> drwxr-sr-x    2 www-data staff        4096 Apr 20
> 01:41 www.pinhole
> drwxr-sr-x    2 www-data staff        4096 Apr 20
> 01:41 www.susan
> ----[ and as a user, I can still see inside sites,
> which, to be honest
> ----[ could be set 755 or 711, and would still work,
> but as you mention
> ----[ correctly, setting /home as 700, or
> drwx------, would be catastrophic
> ----[ to the web server and users ... setting /home
> as 711 would stop users
> ----[ noseying around under /home as well :)
> 
> HTH
> 
> --
>   ___  ___ __ _________ @well.com  William Anderson
> - www.well.com/~neuro
>  / _ \/ -_) // / __/ _ \|     "All your base are
> belong to us. You are on
> /_//_/\__/\_,_/_/  \___/|     the way to
> destruction." -- CATS, Zero Wing
> 
> 
> ---------------------------------------
> For unsubscribe and other options, including
> the Tip Harvester and archive of TheList go to:
> http://lists.evolt.org Workers of the Web, evolt ! 


__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/

More information about the thelist mailing list