Access Control Lists in Debian Lenny

Posted by arbales on Server Fault See other posts from Server Fault or by arbales
Published on 2009-08-07T04:53:47Z Indexed on 2010/04/29 23:18 UTC
Read the original article Hit count: 660

Filed under:
|
|
|

So, for my clients to who have sites hosted on my server, I create user accounts, with standard home folders inside /home.

I setup an SSH jail for all the collective users, because I really am against using a separate FTP server. Then, I installed ACL and added acl to my /etc/fstab — all good.

  1. I cd into /home and chmod 700 ./*.
    • At this point users cannot see into other users home directories (yay), but apache can't see them either (boo)
    • . I ran setfacl u:www-data:rx ./*. I also tried individual directories.
    • Now apache can see the sites again, but so can all the users. ACL changed the permissions of the home folders to 750.

How do I setup ACL's so that Apache can see the sites hosted in user's home folders AND 2. Users can't see outside their home and into others' files.


Edit: more details:

Output after chmod -R 700 ./*

sh-3.2# chmod 700 ./*
sh-3.2# ls -l
total 72
drwx------+ 24 austin  austin     4096 Jul 31 06:13 austin
drwx------+  8 jeremy  collective 4096 Aug  3 03:22 jeremy
drwx------+ 12 josh    collective 4096 Jul 26 02:40 josh
drwx------+  8 joyce   collective 4096 Jun 30 06:32 joyce

(Not accessible to others users OR apache)

setfacl -m u:www-data:rx jeremy

(Now accessible to members apache and collective — why collective, too?)

sh-3.2# getfacl jeremy 
# file: jeremy
# owner: jeremy
# group: collective
user::rwx
user:www-data:r-x
group::r-x
mask::r-x
other::---

Solution

Ultimately what I did was:

chmod 755 *
setfacl -R -m g::--- *
setfacl -R -m u:www-data:rx *

© Server Fault or respective owner

Related posts about debian

Related posts about acl