Access Control Lists in Debian Lenny
Posted
by arbales
on Server Fault
See other posts from Server Fault
or by arbales
Published on 2009-08-07T04:53:47Z
Indexed on
2010/04/29
23:18 UTC
Read the original article
Hit count: 660
So, for my clients to who have sites hosted on my server, I create user accounts, with standard home folders inside /home.
I setup an SSH jail for all the collective
users, because I really am against using a separate FTP server. Then, I installed ACL and added acl to my /etc/fstab
— all good.
- I cd into
/home
andchmod 700 ./*
.- At this point users cannot see into other users home directories (yay), but apache can't see them either (boo)
- . I ran
setfacl u:www-data:rx ./*
. I also tried individual directories. - Now apache can see the sites again, but so can all the users. ACL changed the permissions of the home folders to
750
.
How do I setup ACL's so that Apache can see the sites hosted in user's home folders AND 2. Users can't see outside their home and into others' files.
Edit: more details:
Output after chmod -R 700 ./*
sh-3.2# chmod 700 ./*
sh-3.2# ls -l
total 72
drwx------+ 24 austin austin 4096 Jul 31 06:13 austin
drwx------+ 8 jeremy collective 4096 Aug 3 03:22 jeremy
drwx------+ 12 josh collective 4096 Jul 26 02:40 josh
drwx------+ 8 joyce collective 4096 Jun 30 06:32 joyce
(Not accessible to others users OR apache)
setfacl -m u:www-data:rx jeremy
(Now accessible to members apache and collective — why collective, too?)
sh-3.2# getfacl jeremy
# file: jeremy
# owner: jeremy
# group: collective
user::rwx
user:www-data:r-x
group::r-x
mask::r-x
other::---
Solution
Ultimately what I did was:
chmod 755 *
setfacl -R -m g::--- *
setfacl -R -m u:www-data:rx *
© Server Fault or respective owner