Hello,

I've added an user, made his home directory /home/httpd/html/anton ... so he can have like his own web page ...

but the problem is that he can read/delete(but not write) to any other directory ... how would I go about restricting that?

thanks : )

What do you mean, he can delete to any other directory? I'll bet he can not delete files outside of his home directory unless he has write access to that directory, and very few directories on the system are world-writable.

If you're worried that he can enter directories other than his home directory, you can do one of those things:

1. Live with it. He can't change or delete anything outside of his home directory, nor read any files that he shouldn't be able to (like /etc/shadow).

2. Configure your FTP daemon to not allow him to leave his home directory.

Craig is right, if he does not have write permission, he surely can not delete.

BTW Craig, I noticed that you're at Fayetteville. I'm at LR.

ok , he can't read stuff from etc directory for example, but he can read/delete stuff from other ppls home directories, how would I go about restricting that ?

thanks : )

He can't delete a file unless he has EITHER write access to the file, or write access to the directory the file is in.

Probably he's just mistaken, but check the permissions on the users' home directories. They should not be world-writable.

Well, for example, look at this chart (BTW - I'm a newbie on this too, so this is just from what I know offhand)


---------- This indicates a normal file which can not be read from, written to, or executed by anybody at all.
-rwx------ This is a normal file which can be read from, written to, and executed by the owner of the file, but nobody else.
-rwxrwx--- This is a normal file which can be read from, written to, and executed by the owner of the file and members of the file's group, but not anybody else.
-rwxrwxrwx This is a normal file which can be read from, written to, and executed by any user anywhere.
-rwxr--r-- This is a normal file which can be read from, written to, or executed by its owner. Members of the group associated with this file can read the file, but can not write to it or execute it. All other users which are neither the owner of the file, nor belong to the file's group, can read from the file but cannot write to it or execute it.
drwxrwx--- This is a directory which can be read from, written to, or visited by its owner and members of the file's group, but not by anybody else.
-rw-rw-r-- This is a normal file which can be read from by any user anywhere, but can only be written to by the file's owner and members of the file's group.


Now, it is recommended that you read up on chmod, which changes the file permissions for different users and/or groups. (man chmod)

But, one way (and probably not the BEST way) of doing this would be to make the other files in the home directory not readable and writable to that user. (You have to read up on chmod for more on that.)


Dark Ninja

P.S. Sorry if that seemed like too simple of an answer, but, I'm trying to learn about Linux too, and so I look some of this stuff up, and if I can grasp the concept, then I try to apply the idea to the message board. Here's the link I found if you want to read more.

Setting Permissions In Linux (http://linux.about.com/compute/linux/library/weekly/aa091899c-a2.htm?iam=spkask&terms=How+do+I+set+user+permissions+in+Linux)

thanks, Dark Ninja, I was very bad with all those permissions, that's cleared them up a little : )

and if I make like -rwx------ ... only the directory itself, not files in it, then nobody will be able to do anything with files also, besides the owner ?


Add if I make one home directory inside of the other ?

like ... /.../httpd/html is like for main html file

and /.../httpd/html/anton for that user (anton) ...

can I do like that?

thanks.

First of all, I don't think it's a good idea for you to be creating user home directories under the WWW root.

You should be putting the home directories in /home, where they're supposed to go, then make symlinks under the WWW root.

IE, if you want /home/httpd/html/anton, then make Anton's home directory /home/anton, and symlink /home/httpd/html/anton to /home/anton/public_html or something like that. The way you're doing it is weird and is likely to cause problems.

If a directory doesn't have execute (x) permission, then nobody will be able to get into it at all, or access any files under it, no matter what. That includes the web server.

Like I said, I'm new, but what I would do is not set the permissions to user only for the entire directory tree, just for the personal folder for the user (anton in this case). That way, he won't be able to mess with the 'html' folder which is a level above his. Just allow his folder to be touched by him, and that's it.


(If I'm wrong, someone please correct me, so I can learn.)

Dark Ninja

Craig : yes, u probably right, I should do it that way ... but how do I make symlinks ? (sorry I'm a total newbie )


Ninja : but how can I just set specific permissions for specific directory only to one user ?

thanks again

You make symlinks with ln -s. A symlink is just a pointer, really.

If you want /home/httpd/html/anton to be a pointer to /home/anton/public_html, you can use this command:

ln -s /home/anton/public_html /home/httpd/html/anton

Note that for the web server to be able to get into the directory, the /home/anton directory will have to be a+x, the /home/anton/public_html directory will have to be a+x, and any document files in the public_html directory will have to be a+r.

Craig: I did everything like you said, but now it gives me "permission denies", when I try to upload something in public_html directory under /home/anton : (

When who tries up upload something to that directory? The Anton user? Does Anton own the directory and have Write access to it?

/home/anton should be mode 755 (or 711, if you want to be forbid other users from getting a directory listing of it), /home/anton/public_html should be 755 (or 711, as above), and any files in the directory should be 644.

yes, I made /home/anton chmod 755 and /home/anton/public_html chmod 755 , but [i]Anton[i] gets permission denied when he tries to upload to /home/anton/public_html ... but he can upload fine to /home/anton ...

and I also made /home/httpd/html/anton chmod 755

But is Anton the owner of those directories?

Craig: I don't think he was , but I already got everything working, so thanks for everything :) ... I will have more questions later :D