[NTLUG:Discuss] apache problem

[Stephen Denny]

On Thu, 15 Jun 2000, Jay Urish wrote:

> At 02:50 PM 6/15/00 , you wrote:
> >Jay,
> >
> >Can't you just specify permissions as rwx--x--x for /home/macdade
> >and then rwxr-xr-x for home/macdade/www and below?
> 
> I could BUT then other users with ftp access could make it into the dir and 
> rip of content etc..

Generally, group access is used to permit certain users to share
files and directories while restricting others.  You could certainly
hack something up to work but it might be messy.

I think I understand your problem to be that users need to upload 
files to the webserver but while there they shouldn't see other
peoples files, or your password file etc.

I can't recommend allowing shell access on that machine for at least
two reasons - security (such as the problem you are addressing) and
system resources.  You really don't want someone solving prime numbers
on your webserver.  If you insist, give them a restricted shell.
Shell services are best offered on a separate box that you consider a
throw away and don't mind reloading regularly.

Instead, allow users only ftp access.  To fix your specific problem, I
recommend that you discard wu-ftp and use proftp instead.  It is
easily configured to restrict users from browsing around on your file
structure.  It does this without regard to file permissions.  You can
restrict each user to his own home directory just the same way you
restrict anonymous ftp users to the anonymous areas.

And be sure and turn on disk quotas so one person doesn't fill 
up your entire disk with a movie.

Regards,

Stephen Denny                                 mailto:sdenny at hex.net
Hex.Net Superhighway                             http://www.hex.net