[NTLUG:Discuss] apache problem

Jay Urish j at dalwan.net
Thu Jun 15 18:09:31 CDT 2000 

At 03:52 PM 6/15/00 , you wrote:
>On Thu, 15 Jun 2000, Jay Urish wrote:
>
> > At 02:50 PM 6/15/00 , you wrote:
> > >Jay,
> > >
> > >Can't you just specify permissions as rwx--x--x for /home/macdade
> > >and then rwxr-xr-x for home/macdade/www and below?
> >
> > I could BUT then other users with ftp access could make it into the dir 
> and
> > rip of content etc..
>
>Generally, group access is used to permit certain users to share
>files and directories while restricting others.  You could certainly
>hack something up to work but it might be messy.
>
>I think I understand your problem to be that users need to upload
>files to the webserver but while there they shouldn't see other
>peoples files, or your password file etc.
>

Right!

>I can't recommend allowing shell access on that machine for at least
>two reasons - security (such as the problem you are addressing) and
>system resources.  You really don't want someone solving prime numbers
>on your webserver.  If you insist, give them a restricted shell.
>Shell services are best offered on a separate box that you consider a
>throw away and don't mind reloading regularly.

Heheh yea, I don't offer shell access, unless you count /bin/false as a 
shell ;)




>Instead, allow users only ftp access.  To fix your specific problem, I
>recommend that you discard wu-ftp and use proftp instead.  It is
>easily configured to restrict users from browsing around on your file
>structure.  It does this without regard to file permissions.  You can
>restrict each user to his own home directory just the same way you
>restrict anonymous ftp users to the anonymous areas.

Hmm That is an awesome idea. I think I will look into it.


>And be sure and turn on disk quotas so one person doesn't fill
>up your entire disk with a movie.
>

And that too!



>Regards,
>
>Stephen Denny                                 mailto:sdenny at hex.net
>Hex.Net Superhighway                             http://www.hex.net
>
>
>
>
>
>_______________________________________________
>http://ntlug.org/mailman/listinfo/discuss


Jay Urish
Network Engineer - Dallas Wide Area Networking L.L.C
www.dalwan.net

More information about the Discuss mailing list