[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Apache / Samba integration

To: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Subject: Re: [Sheflug] Apache / Samba integration
From: "Chris J" <nospam [at] xxxxxxxxxxxxxxxx>
Date: Sun, 17 Nov 2002 17:10:08 +0000 (GMT)
List-help: <mailto:shef-lug-request [at] list.sheflug.org.uk?subject=help>
List-id: Sheflug <shef-lug.list.sheflug.org.uk>
List-post: <mailto:shef-lug [at] list.sheflug.org.uk>
List-subscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=subscribe>
List-unsubscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=unsubscribe>
Reply-to: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Sender: shef-lug-admin [at] xxxxxxxxxxxxxxxxxxx

> 
> I would like the home folders to be private by default ie users home
> folder /home/user to be owned by user and chmod 700 but
> /home/user/public_html to be owned by user but be chmod 744
> but when i set these apache then cannot access the public_html ....
> 

You need at least 711 on $HOME and 711 on $HOME/public_html. On directories,
the execute bit is used to say whether permission to access the directory
is given. Adding the read bit (bit 4, giving, say, 755) would then allow
an "ls" to suceed; having access to a directory is not the same as being
able to read the contents of said directory :-)

You need 711 on $HOME as the only way someone (other than the owner of the
directory) can get to $HOME/public_html is if they have access to $HOME as
well :) 711 is as secure as you're going to get if you want the web server
to have access to public_html.

> Also .. Is there an inherited permissions thing in unix ..?  So that if a
> file has permission 700 in one directory but gets move to another it will
> inherit the permissions of the new container.  I'm thinking if windows
> clients wish to publish material form their /home/user and then find that
> the permissions are wrong

No, but samba does have a way to force permissions; there's a directive you
can put into smb.conf ... "force create mode = ..." and then all files
created will have the permissions set in there. There is also "force
directory mode = ..." that allows you to set the permissions for any
directories created as well.

Unfortuantly, that has the side effect though of allowing all files placed
into $HOME to be, potentially, world-readable. And as we have 711 on $HOME,
any user can potentially read any file there. Okay, someone would have
to know the name of the files in the first place (recall 711 doesn't allow
anyone to /read/ the directory, bar the owner), but even so...

To have more control, you'd have to set up a new samba share that points
straight to $HOME/public_html. That would allow $HOME to have a create mode
of 600/700 and public_html to have a create more of 644/711/755/whatever.
You could then hide public_html from the share that shows $HOME so people
don't get confused between the two shares (see the directives "hide files"
and "veto files" in smb.conf)

This does however mean that all the users would have two shares they'd
have to connect to from Windows.

HTH,

Chris...

-- 
\ Chris Johnson           \
 \ cej [at] nightwolf.org.uk    ~-----,   
  \ http://cej.nightwolf.org.uk/  ~-----------------------------------, 
   \ Redclaw chat - http://redclaw.org.uk - telnet redclaw.org.uk 2000 \____
___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.

References:
- [Sheflug] Apache / Samba integration
  - From: Alan Dawson

Prev by Date: [Sheflug] Apache / Samba integration
Next by Date: [Sheflug] memory limitations with Suse 7.3
Previous by thread: [Sheflug] Apache / Samba integration
Next by thread: [Sheflug] Problem with /etc/profile
Index(es):
- Date
- Thread