Linux – Allow access in home directory for apache but not other users

centosfile-permissionslinuxpermissions

I build a website that automatically manages a dedicated server. It does all sorts of things like creating users and apache settings to point to their home directory.

The home directories host game binaries, and the home folder can be accessed from the web, but only non-essential resource files (.wav .mdl .spr etc) can be accessed, that's how apache is configured. So for this to work, I need execute and read permissions on all files.

The problem is that binaries run in one user's home folder can access other users' home folder, read and write to files in there.

How can I make a user's home directory unaccessible to anyone else but him and via apache?
Here's what the folder tree looks like:

http://i.imgur.com/LVFMle2.png (no rep to show image directly)

Best Answer

Set an ACL on each user's home directory, to which Apache needs access. This lets you avoid silly tricks with groups, which can actually cause more problems than they solve.

For example:

setfacl -R -m u:httpd:rx,d:u:httpd:rx /home/username

will allow the httpd user to read everything in that directory, including subdirectories and any newly created files.

Related Solutions

Ssh – CopSSH SFTP — limit users access to their home directory only

create group 'SSH Users' in computer management
Add group to gpedit -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Allow log on locally (see Can't login to Cygwin sshd server with a non-administrator user account)
run gpupdate
Add ftpuser to group SSH Users
Append details in /etc/sshd_config:
```
Subsystem sftp internal-sftp

Match User ftpuser
    ChrootDirectory /home/ftpuser
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp
```
(the keywords on the lines following the Match directive apply only to the user ftpuserand override those set in the global section of the config file, until either another Match line or the end of the file.)
Activate ftpuser user through copSSH wizard
Delete all .ssh .bashprofile files/folders under ftpuser folder
Set SvcCOPSSH user to root id 0
```
SvcCOPSSH:unused_by_nt/2000/xp:**0**:545:U...
```
(see http://www.itefix.no/i2/node/11956)
Might need to do the following as well in copSSH 'UNIX BASH Shell'
```
cd /
chown SvcCOPSSH /
chmod 0755 /
```
restart openssh service

Linux – Unix / linux permissions setup for shared hosting with Apache

That's what I did:

chown user_name:www-data website_dir
chmod g+s website_dir # this makes new files/directories in that catalog owned by www-data user (standard Debian webserver user)
Then any user-created file that's group-readable can be accessed by webserver, and user can do chmod g+w if they want directory/file to be also writable by webserver (like configs/upload etc)

Downside of that is that user www-data runs all the scrips so user can get another user data using php/ruby/perl/whatever is run on webserver.

Next step would be using something like mod_suphp or mod_suexec to run user scrips with privledges of that user.

Best Answer

Related Solutions

Ssh – CopSSH SFTP — limit users access to their home directory only

Linux – Unix / linux permissions setup for shared hosting with Apache

Related Topic