views:

520

answers:

2

So, for my clients to who have sites hosted on my server, I create user accounts, with standard home folders inside /home.

I setup an SSH jail for all the collective users, because I really am against using a separate FTP server. Then, I installed ACL and added acl to my /etc/fstab — all good.

  1. I cd into /home and chmod 700 ./*.
  2. At this point users cannot see into other users home directories (yay), but apache can't see them either (boo)
  3. . I ran setfacl u:www-data:rx ./*. I also tried individual directories.
  4. Now apache can see the sites again, but so can all the users. ACL changed the permissions of the home folders to 750.

How do I setup ACL's so that Apache can see the sites hosted in user's home folders AND 2. Users can't see outside their home and into others' files.

+1  A: 

One trick I've used on shared boxes is to:

  • recursively set the contents of the home directories to not allow access to "other" users

    chmod -R o-rwx /home/*

  • set all the top-level user's home directories permissions to be executable by "other" users

    chmod o+x /home/*

  • change each user's public_html directory group to www-data (or your apache group)

    chgrp www-data /home/*/public_html

  • change all the directories under /home/*/public_html to be setgid

    find /home/user/public_html -type d -exec chmod 2750 {} \;

Don't add any of the user's to the www-data (or apache group). Even though they aren't members, the setgid trick will still make the files readable by apache. It's not fullproof (moving files does not always change group owner and sometimes the other user permissions are left if present before a move) but it does work on my box. Hope this helps a little! Maybe someone else will have a better solution.

DaGoodBoy
I can see how it'd work, but I don't like the idea of the /home/joeuser/joeuser.com folder being owned by anything other than joeuser:collective.
arbales
+2  A: 

Since I cross-posted the question (I didn't know about ServerFault until after I asked), I'll cross-post the answer, since I personally find the question to be appropriate for both communities.

hayalci's (on ServerFault) comment that

chmod and setfacl do not work too well together.

helped a good deal. Instead of using CHMOD to prevent other groups from accessing the data, I used:

cd /home
setfacl -m g::0 joeuser # Removes permissions for the owning group.
setfacl -m g:www-data:r joeuser # Adds read permissions for Apache
cd joeuser/joeuser.com/static/
setfacl -m g:www-data:rwx uploads # So apache can write to the uploads directory.
arbales

related questions