Thanks, all, there is no ~/public_html directory on this desktop
system. I will simply chmod 700 $HOME. Thanks!

--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Ken Teague wrote:
> On Wed, Jan 6, 2010 at 4:29 PM, green <greenfreedom10@gmail.com> wrote:
>> Okay, I was assuming recursion because I have a ~/public_html and symlinks from
>> it to other files scattered in my $HOME and so a "chmod 700 $HOME" would just
>> break stuff. Otherwise, just changing $HOME permissions is an excellent
>> solution.
>
> Great point. "chmod 700 $HOME" would make ~/public_html to be not so
> public, since, on a Debian box, apache runs under the www-data
> account. So, if Mr. Cohen has such a configuration, he would need
> to relocate his ~/public_html directory (along with all symlinked
> scripts or binaries) to a public location that can be accessed by the
> www-data account, and modify his apache configuration accordingly. I
> have an account on freeshell.net that is configured like this:
>
> [501]itsme@iceland:~$ ls -ld $HOME
> drwx------ 16 itsme arpa 1024 Oct 21 18:39 /arpa/nl/i/itsme
> [502]itsme@iceland:~$ ls -l html
> lrwx------ 1 itsme arpa 16 Jan 26 2009 html -> /www/am/i/itsme
> [503]itsme@iceland:~$ ls -ld /www/am/i/itsme
> drwxr-x--x 4 itsme nobody 512 Oct 30 19:37 /www/am/i/itsme
>
> This, to me, looks like the most elegant approach.
>

Actually, this is the sort of situation where a $HOME permission of 711
would be useful. Disallowing wild card based access but if the full
name is known, the file can be read (assuming it has the correct
permissions, of course).

You could even go so far as to set the group ownership of $HOME to the
www-data group and set $HOME to be 710.

--
Bob McGowan


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Thu, Jan 07, 2010 at 08:09:49AM -0800, Bob McGowan wrote:
> Ken Teague wrote:
> > On Wed, Jan 6, 2010 at 4:29 PM, green <greenfreedom10@gmail.com> wrote:
> >> Okay, I was assuming recursion because I have a ~/public_html and symlinks from
> >> it to other files scattered in my $HOME and so a "chmod 700 $HOME" would just
> >> break stuff. Otherwise, just changing $HOME permissions is an excellent
> >> solution.
> >
> > Great point. "chmod 700 $HOME" would make ~/public_html to be not so
> > public, since, on a Debian box, apache runs under the www-data
> > account. So, if Mr. Cohen has such a configuration, he would need
> > to relocate his ~/public_html directory (along with all symlinked
> > scripts or binaries) to a public location that can be accessed by the
> > www-data account, and modify his apache configuration accordingly. I
> > have an account on freeshell.net that is configured like this:
> >
> > [501]itsme@iceland:~$ ls -ld $HOME
> > drwx------ 16 itsme arpa 1024 Oct 21 18:39 /arpa/nl/i/itsme
> > [502]itsme@iceland:~$ ls -l html
> > lrwx------ 1 itsme arpa 16 Jan 26 2009 html -> /www/am/i/itsme
> > [503]itsme@iceland:~$ ls -ld /www/am/i/itsme
> > drwxr-x--x 4 itsme nobody 512 Oct 30 19:37 /www/am/i/itsme
> >
> > This, to me, looks like the most elegant approach.
> >
>
> Actually, this is the sort of situation where a $HOME permission of 711
> would be useful. Disallowing wild card based access but if the full
> name is known, the file can be read (assuming it has the correct
> permissions, of course).
>
> You could even go so far as to set the group ownership of $HOME to the
> www-data group and set $HOME to be 710.

A cleaner alternative is to use ACLs (package "acl"):

% setfacl -m g:www-data:rx ~ ~/public_html

% getfacl ~ ~/public_html
getfacl: Removing leading '/' from absolute path names
# file: home/rleigh
# owner: rleigh
# group: rleigh
user::rwx
group::r-x
group:www-data:r-x
mask::r-x
other::r-x

# file: home/rleigh/public_html
# owner: rleigh
# group: rleigh
user::rwx
group::r-x
group:www-data:r-x
mask::r-x
other::r-x

Note, you'll need to enable ACL support on your filesystem,
e.g. by running "mount -o remount,acl /home" and/or setting
the acl option in /etc/fstab.


Regards,
Roger

--
.'`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/
`- GPG Public Key: 0x25BFB848 Please GPG sign your mail.

On Thu, Jan 07, 2010 at 08:09:49AM -0800, Bob McGowan wrote:
> Ken Teague wrote:
> >
> > [501]itsme@iceland:~$ ls -ld $HOME
> > drwx------ 16 itsme arpa 1024 Oct 21 18:39 /arpa/nl/i/itsme
> > [502]itsme@iceland:~$ ls -l html
> > lrwx------ 1 itsme arpa 16 Jan 26 2009 html -> /www/am/i/itsme
> > [503]itsme@iceland:~$ ls -ld /www/am/i/itsme
> > drwxr-x--x 4 itsme nobody 512 Oct 30 19:37 /www/am/i/itsme
> >
> > This, to me, looks like the most elegant approach.
> >
>
> Actually, this is the sort of situation where a $HOME permission of 711
> would be useful. Disallowing wild card based access but if the full
> name is known, the file can be read (assuming it has the correct
> permissions, of course).
>
> You could even go so far as to set the group ownership of $HOME to the
> www-data group and set $HOME to be 710.

The way I have it set up is $HOME has rwxr-x--x, public_html has
rwxr-s--- chgrp'd to www-data. Most of my files are rw-------, except
where group read is required, files that fall into that category are
usually located in other directories with relevant permissions set up.
I suppose by now we should really be using acl's though.

Cheers,
Tom

--
You may be right, I may be crazy,
But it just may be a lunatic you're looking for!
-- Billy Joel

On Thu, Jan 07, 2010 at 06:54:12PM +0000, Tom Furie wrote:
> On Thu, Jan 07, 2010 at 08:09:49AM -0800, Bob McGowan wrote:
> > Ken Teague wrote:
> > >

[snip]

> The way I have it set up is $HOME has rwxr-x--x, public_html has
> rwxr-s--- chgrp'd to www-data. Most of my files are rw-------, except
> where group read is required, files that fall into that category are
> usually located in other directories with relevant permissions set up.
> I suppose by now we should really be using acl's though.

Somebody else commented on ACL's. I wonder how many other people are
using ACL's


>
> Cheers,
> Tom
>



--
e-credibility: the non-guaranteeable likelihood that the electronic data
you're seeing is genuine rather than somebody's made-up crap.
-- Karl Lehenbauer

Roger Leigh wrote:
> % setfacl -m g:www-data:rx ~ ~/public_html

Many web servers are configured to run user-supplied CGI scripts as
www-data, so this approach is not particularly secure.

--
see shy jo

On Thu, Jan 07, 2010 at 04:19:14PM -0500, Joey Hess wrote:
> Roger Leigh wrote:
> > % setfacl -m g:www-data:rx ~ ~/public_html
>
> Many web servers are configured to run user-supplied CGI scripts as
> www-data, so this approach is not particularly secure.

I have not much experience of running web servers; this was just
intended as an example. However, I'm not sure why it's insecure
over the alternative of having it world readable? What is the
actual minimal requirement for access by the web server? Surely
it's representable in some form of ACL.

Once could just give execute perm to ~ and maybe additionally
read as well to ~/public_html?


Regards,
Roger

--
.'`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/
`- GPG Public Key: 0x25BFB848 Please GPG sign your mail.

On Wed, Jan 06, 2010 at 11:16:16PM +0200, Dotan Cohen wrote:
> What are good permissions to use for one's home directory so that
> other users on the system could not read or otherwise access my files?
> Is 700 too paranoid? Should it be 755 like I see so many times? Will I
> have problems with 750?
>
In addition to using chmod as suggested by others, for securing
your files, why not try using encfs on directories that you *really* want
to protect from prying eyes? The added bonus is even root cannot see
those files and booting off a cd also will not let others look at
your files.

Regards,

--
Sridhar M.A. GPG KeyID : F6A35935
Fingerprint: D172 22C4 7CDC D9CD 62B5 55C1 2A69 D5D8 F6A3 5935

Sinners can repent, but stupid is forever.

On Thu, Jan 07, 2010 at 10:24:27PM +0000, Roger Leigh wrote:
> Once could just give execute perm to ~ and maybe additionally
> read as well to ~/public_html?

Exactly right. The read to ~/public_html is not necessary if
you have +x and a suitable index file underneath which is
readable, but it doesn't really hurt. (some people might not
want their web directories 'indexable'. Those people will
not want +r, but they will also want to turn of their web
server's directory indexing feature too).


--
Jon Dowland

On Fri, Jan 08, 2010 at 09:50:42AM +0000, Jon Dowland wrote:
> On Thu, Jan 07, 2010 at 10:24:27PM +0000, Roger Leigh wrote:
> > Once could just give execute perm to ~ and maybe additionally
> > read as well to ~/public_html?
>
> Exactly right. The read to ~/public_html is not necessary if
> you have +x and a suitable index file underneath which is

I believe the requirement for apache is it has to be able to read from /
to the destination directory.

I ran into trouble one time when I change / to 0.0 750

> readable, but it doesn't really hurt. (some people might not
> want their web directories 'indexable'. Those people will
> not want +r, but they will also want to turn of their web
> server's directory indexing feature too).
>
>



--
"Let me put it to you bluntly. In a changing world, we want more people to have control over your own life."

- George W. Bush
08/09/2004
Annandale, VA