Security question: apache access but no DH user ac

Is there a way to allow apache (dhapache) access to my web files, but disallow other dreamhost shell users from accessing them? According to the wiki (http://wiki.dreamhost.com/Security), to allow apache access, the directories need to be executable by other (o+x) and files need to be readible by other (o+r).

I have a ZenPhoto site. I want only my family members to be able to see it. As a result, I set it up with logins per member (using the ZenPhoto interface).

This works well for me. However, a possible scenario occurs to me:

I need to have the zenphoto directory be "world" readable so that Apache can get to it. However, doesn't this mean that all other DreamHost shell users can also get to it?

More generally, my home directory has permissions 751 (the default). However, doesn't that mean that _anyone_ can cd into it? If, the zenphoto directory has permissions of 755, can't _anyone_ cd into that sub-directory and list the files? If, then a picture file in there (call it compromising.jpg) has permissions 644, can't anyone look at it?

You can try to protect the directory with a username and password via DH panel --> Goodies --> Htaccess/WebDav

Thanks for the suggestion, patrick. However, using the WebDAV/htaccess method restricts you from accessing the directory using ssh (shell access). I know this is the case with WebDAV; not sure about htaccess.

Nonetheless, it does solve the problem in that the *only* way to access the directory will now be via the web. So, no one (including you) can access it from your shell account. I was wondering if there's a way to allow shell access, allow limited (login) web access, but restrict other dreamhost users from shell access.

I don't think that is possible.

Once you give access to the public, even with limited web access, the read permission must be granted to all. Therefore all users from web and shell have access to read the files. The only way to protect the directory is to set a username and password using htaccess or webdav.

If that does not work for you, I can't think of anything to help. Let's see other's replies.

Turning on Enhanced Security for your user will stop others with shell access from getting into your home directory. Apache still runs, as it has the same access you do.
http://wiki.dreamhost.com/Enhanced_User_Security

Did you manually install Zenphoto? The Easy One-Click install doesn't go into your home directory.

-Scott

In reply to:

---

What this means is that the permissions on your home directory will be changed such that absolutely no one besides your user, or the apache user will be able to view anything inside your home directory.

---

Does Apaches still have the access on the directory if enhanced security is turned on?

It does for me. I have it turned on for all of my users.

-Scott

that is good.

I haven't tried that but it is a really good feature.

Excellent, Scott. This is exactly what I was looking for.

I was going down the path of chgrp my directory to dhapache. The DH admins did it for me with a test case. I'll let you know if that works (too). I didn't realize the web-panel had the equivalent functionality built-in. Thanks!