ansaurus

Question

Answer 1

+1 A:

One trick I've used on shared boxes is to:

recursively set the contents of the home directories to not allow access to "other" users

chmod -R o-rwx /home/*
set all the top-level user's home directories permissions to be executable by "other" users

chmod o+x /home/*
change each user's public_html directory group to www-data (or your apache group)

chgrp www-data /home/*/public_html
change all the directories under /home/*/public_html to be setgid

find /home/user/public_html -type d -exec chmod 2750 {} \;

Don't add any of the user's to the www-data (or apache group). Even though they aren't members, the setgid trick will still make the files readable by apache. It's not fullproof (moving files does not always change group owner and sometimes the other user permissions are left if present before a move) but it does work on my box. Hope this helps a little! Maybe someone else will have a better solution.

DaGoodBoy 2009-08-16 01:40:39

I can see how it'd work, but I don't like the idea of the /home/joeuser/joeuser.com folder being owned by anything other than joeuser:collective.

arbales 2009-08-16 04:36:06

Answer 2

+2 A:

Since I cross-posted the question (I didn't know about ServerFault until after I asked), I'll cross-post the answer, since I personally find the question to be appropriate for both communities.

hayalci's (on ServerFault) comment that

chmod and setfacl do not work too well together.

helped a good deal. Instead of using CHMOD to prevent other groups from accessing the data, I used:

cd /home
setfacl -m g::0 joeuser # Removes permissions for the owning group.
setfacl -m g:www-data:r joeuser # Adds read permissions for Apache
cd joeuser/joeuser.com/static/
setfacl -m g:www-data:rwx uploads # So apache can write to the uploads directory.

arbales 2009-08-16 04:14:25

ansaurus

tags:

views:

answers:

Access Control Lists in Debian Lenny

related questions