Unix Group woes

I'm trying to do the following:
Have two directories in FTP (dir1, dir2) There are two users, usr1 and usr2. usr1 has full access (read/write/execute) to dir1 and dir2. usr2 has access only to dir2, and cannot read/write/execute anything except for what's in dir2.

It seems this has to be done through Unix Groups. So, I made two shell users (usr1 and usr2) and two groups (group_restricted and group_fullaccess) I then added usr1 to group_fullaccess and usr1 & usr2 to group_restricted. After that, I ssh into my webserver with usr1 and chgroup dir2 to group_restricted and chmod it so group users have write permissions (775) and add a shortcut to the directory. Yay, it works, usr2 can go into the shortcut and upload/view/download files from the directory :) Now here comes my problem...

I realize usr2 can cd up one level, and actually browse all of the folders on the server. The knowledgebase article addresses this, and says I need to change all of the other folders/files to group_fullaccess using GID bit. I do this, but... usr2 can still read all of the files, even though they're not a member of group_fullaccess.

What am I missing? Did I need to chmod after setting the GID bit? If so, what do I chmod it to so my website still works? Any help would be GREATLY appreciated. Thanks!

In reply to:

---

I realize usr2 can cd up one level, and actually browse all of the folders on the server. The knowledgebase article addresses this, and says I need to change all of the other folders/files to group_fullaccess using GID bit. I do this, but... usr2 can still read all of the files, even though they're not a member of group_fullaccess.

---

And what did you set the public permissions to on the parent directories?

Customer since 2000 openvein.org

I didn't chmod/set any permissions yet (didn't see anything about it in the knowledge base article)...

It made sense that I would probably need to, but I didn't want to mess up the permissions so it wouldn't be accessible from the web. The directory I want to allow usr2 to access is /home/usr1/mysite.com/usr2files. This directory is currently chmodded to 775. usr2 can cd to /home/usr1/mysite.com/ and browse all of my files (eck!)

If I chmod /home/user1/mysite.com to 700, would that screw everything up so someone going to mysite.com would get a permissions error?

In reply to:

---

It made sense that I would probably need to, but I didn't want to mess up the permissions so it wouldn't be accessible from the web. The directory I want to allow usr2 to access is /home/usr1/mysite.com/usr2files. This directory is currently chmodded to 775. usr2 can cd to /home/usr1/mysite.com/ and browse all of my files (eck!)

---

Well that's the way it works because web directories have to enable "public" permissions in order for the web server to work correctly. If you can't live with that, you have to use an alternative such as allowing usr2 to keep the files in his own directory and using an alias or symbolic link to it, or possibly using a program like rsync to copy/transfer the files instead.

However if any of your directories or files in the web directory are never opened by the web server itself (such as all those library source files included by PHP applications) then you can just disable both group and public permissions (since CGI runs as the domain user, which should be the owner of said files and directories to begin with).

Though of course if you're just worried about usr2 and no other user, just make usr2 is in the same group as the group owner of /home/usr1/mysite.com/ and then disable group permissions on that directory.


Customer since 2000 openvein.org

In reply to:

---

If I chmod /home/user1/mysite.com to 700, would that screw everything up so someone going to mysite.com would get a permissions error?

---

Sure will, but you can use 711




How To Install PHP.INI / ionCube on DreamHost