Home / server / Questions / 51314
Accepted
arbales
Asked: 2009-08-07 20:53:47 +0800 CST

Access Control Lists in Debian Lenny

  • 772

So, for my clients to who have sites hosted on my server, I create user accounts, with standard home folders inside /home.

I setup an SSH jail for all the collective users, because I really am against using a separate FTP server. Then, I installed ACL and added acl to my /etc/fstab — all good.

  1. I cd into /home and chmod 700 ./*.
    • At this point users cannot see into other users home directories (yay), but apache can't see them either (boo)
    • . I ran setfacl u:www-data:rx ./*. I also tried individual directories.
    • Now apache can see the sites again, but so can all the users. ACL changed the permissions of the home folders to 750.

How do I setup ACL's so that Apache can see the sites hosted in user's home folders AND 2. Users can't see outside their home and into others' files.


Edit: more details:

Output after chmod -R 700 ./*

sh-3.2# chmod 700 ./*
sh-3.2# ls -l
total 72
drwx------+ 24 austin  austin     4096 Jul 31 06:13 austin
drwx------+  8 jeremy  collective 4096 Aug  3 03:22 jeremy
drwx------+ 12 josh    collective 4096 Jul 26 02:40 josh
drwx------+  8 joyce   collective 4096 Jun 30 06:32 joyce

(Not accessible to others users OR apache)

setfacl -m u:www-data:rx jeremy

(Now accessible to members apache and collective — why collective, too?)

sh-3.2# getfacl jeremy 
# file: jeremy
# owner: jeremy
# group: collective
user::rwx
user:www-data:r-x
group::r-x
mask::r-x
other::---

Solution

Ultimately what I did was:

chmod 755 *
setfacl -R -m g::--- *
setfacl -R -m u:www-data:rx *
debian apache-2.2 permissions access-control-list

4 Answers

  1. Best Answer

    Try changing the mask into "---" ?

    Or revoke the group permission with setfacl. chmod and setfacl do not work too well together.

    • 1

  2. Well, you can't stop users seeing "outside their home directories" without a full chroot, because they're always going to be able to see into system directories like /usr/bin (because that's how programs get run). I don't see how the setfacl command you gave will produce the results shown; can you give the output of getfacl and ls -l for a user's home directory in your question?

    • 0

  3. For jailing, newer versions of ssh support the ChrootDirectory option. For scp only connections, I've used scponly successfully in the past.

    As for apache seeing the files, you didn't quite get the chmod right. Try something like this (assumes apache uses the apache group):

    cd /home

    chmod -750 * # owners can do everything, group members can read, others can do nothing

    chgrp -R apache * # by changing group to apache, apache can now read the files.

    Remember, you don't want to add regular users to the apache group.

    • 0

  4. hayalci's comment that

    chmod and setfacl do not work too well together.

    helped a good deal. Instead of using CHMOD to prevent other groups from accessing the data, I used:

    cd /home
setfacl -m g::0 joeuser # Removes permissions for the owning group.
setfacl -m g:www-data:r joeuser # Adds read permissions for Apache
cd joeuser/joeuser.com/static/
setfacl -m g:www-data:rwx uploads # So apache can write to the uploads directory.
    • 0