limit folder access

Bulk Mail bulk at szmidt.org
Fri Mar 28 05:43:07 PDT 2008 

On Thursday 27 March 2008, Ashley Snelgrove wrote:
> Hi there,
>
> What is the best way to limit what a user can see in the system?  If
> there are directories I don't want some users to have access to what
> is the best way to restrict that?  For example, if a user has a home
> directory and is also part of a group administering a web site, all
> that is really needed is access to the home directory and the web
> folder.  But because he needs access to the web folder I can't just
> chroot him in his home folder.  I thought about making his home folder
> the web folder but there may be more web admins later.  Is there a way
> to be selective, I guess, in what is accessible and what is not?
>
> Thanks for your help!!
>
> Ash
> _______________________________________________
> Openbsd-newbies mailing list
> Openbsd-newbies at sfobug.org
> http://mailman.theapt.org/listinfo/openbsd-newbies

Unices in general does not have very fine grained permission options.

First, in Unix everything is considered a file. There are many special types 
of files like directories, symbolic and hard links. Even a partition is 
considered a file. As is your video card, and so on.

Each one has read, write and execute permissions. They are grouped by owner, 
group and all others But because of the locations of executables and config 
files one can lock it down pretty well by having different partitions.

For example you can mount a partition with read and execute but not write 
permissions. This is good for the /usr partition where a user have no 
business writing anything. Root is the administrator and the owner of most 
files. So you could have the owner able to read write and execute. In this 
case you don't want anyone to write anything so they are limited to read and 
execute.

On the other hand the /etc partition does not need to execute anything so you 
give it read and write permissions. Root can read and write, group could have 
write permissions, and again others can only read.

This way someone who for example gains access via a poorly written web script, 
or one of the web site people, they will only have the access to make changes 
to the web site but nothing else. They cannot write a file and then execute 
the content. I usually create a home for each client under /home where they 
can read and write to their web site. At the same time they only have read & 
write permissions there. Apache's executable is under /usr or maybe /opt if 
your needs varies. 

If you google for securing unix web server or something similar you will find 
lots of examples on how to lock it down. Be aware that sandboxes are usually 
not considered very secure as one tend to be able to break out of them too 
easily. Not to say don't use them, but it's not a perfect security solution.

More information about the Openbsd-newbies mailing list