[Adduser-devel] Bug#398793: Default Homedir Permissions
Roger Leigh
rleigh at codelibre.net
Thu Feb 17 15:06:59 UTC 2011
On Thu, Feb 17, 2011 at 01:44:26PM +0000, Ian Jackson wrote:
> Perhaps it might be reasonable to try to find a way for accounts like
> msql and www-data not to be able to access home directories (add
> "daemon" to their supplementary group list and set the permissions of
> /home 0705 to root.daemon, perhaps), but is this really worthwhile ?
> If it is, the right thing to do is to go away and think about exactly
> how to do it, not to file a bug asking for the default home directory
> permissions to be changed.
This is easily accomplished using ACLs. Example to only allow apache
access to public_html, and nothing else:
% setfacl -m g:www-data:x ~
% setfacl -m g:www-data:rx ~/public_html
% getfacl ~ ~/public_html
getfacl: Removing leading '/' from absolute path names
# file: home/rleigh
# owner: rleigh
# group: rleigh
user::rwx
group::r-x
group:www-data:--x
mask::r-x
other::r-x
# file: home/rleigh/public_html
# owner: rleigh
# group: rleigh
user::rwx
group::r-x
group:www-data:r-x
mask::r-x
other::r-x
Regards,
Roger
--
.''`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/
`- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20110217/de6f6240/attachment.pgp>
More information about the Adduser-devel
mailing list