2

My question is a bit complex. Basically, I want to give users ssh/sftp access to the server to their /home/user directory. I want to limit their ability to view other /home/user directories. Simple enough right? No. I want to have a seperate user (say apache) to have read access to all of the /home directories as well.

Right now I have the following perms:

drwxr-xr-x  14 root root   4096 Apr  3 15:41 home
...
cd /home
ll
drwxr-x--- 2 user1   user1   4096 Feb 10 14:16 user1
...

and I have added the user "apache" to the group for all users:

groups apache
apache : apache user1

The problem with this configuration is that when user1 logs in he can view /home/*

if I chmod the /home dir to 750 then when the user attempts to login he cannot get to his/her own folder.

Any suggestions?

Improve this question
2
  • 1
    I should also note that I DONT want the apache user to have root access...so wheel is out of the question
    – fatu
    Commented Apr 6, 2012 at 17:43
  • Haha, I was actually going to propose just that. Hang on, let me see if I can't find you an answer. :)
    – weberc2
    Commented Apr 6, 2012 at 19:35

2 Answers 2

Reset to default
0

Can you change the group access to read-only, add Apache to the group, and restrict all permissions to everyone else? Thereby allowing the owning user to modify their files at will whilst Apache and other services can only read?

I'm not much of a permissions guru, but I would think this would work.

Improve this answer
5
  • I removed "x" access to the directory by group but now the users themselves cannot login to their own directories
    – fatu
    Commented Apr 7, 2012 at 14:47
  • Any experience with chroot?
    – fatu
    Commented Apr 9, 2012 at 22:16
  • No, sorry, I know nothing about chroot. Is there a way to give users x-access to their own directory? I'm confused as to why they were getting x-access through a group policy and not on a per-user basis.
    – weberc2
    Commented Apr 10, 2012 at 10:33
  • @fatu /home must be executable to all users, or else users will not be able to access anything inside it, including their own home directories.
    – Blacklight Shining
    Commented Jan 26, 2013 at 16:50
  • @fatu Did you read my answer? I suggested setting the group of all home directories to apache, then setting the permissions of the directories to 750/rwxr-x---. This will allow the owner of the home directory full access, the apache group read-only access, and all others no access.
    – Blacklight Shining
    Commented Oct 20, 2013 at 17:34
0

My understanding is that you want most users to not be able to see the contents of /home, while still allowing them to log in and use the system normally, and allowing the apache group to see the contents of /home.

For directories, users must have execute permission to do ANYTHING with the contents, including cd to them. Thus, users without execute permission on /home will not be able to even see that their home directories exist, let alone start a shell in them.

Try this:

sudo chown root:apache /home  # owner=root, group=apache
sudo chmod 751 /home          # rwxr-x--x

This should allow the apache group to (and prevent all others from) list /home's contents, while still allowing each user to access their individual home directory.

Note that this does not prevent users from getting information on directories in /home if they already know their names. ls /home should not work, but ls -ld /home/$anything will. You can prevent non-apache users from doing anything inside others' home directories by setting them to $user:apache rwxr-x---:

sudo chown $user:apache ~$user  # owner=$user, group=apache
sudo chmod 750 ~$user           # rwxr-x---

You'll need to do this for each existing user with a home directory, and for each new user that you create, however.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .