Ok thank you. If I understod you right here is what I have done
>From my user. ls -all lrwxr-xr-x 1 root empty 27 Jun 30 20:11 domain1 -> /var/www/users/domain1 lrwxr-xr-x 1 root empty 24 Jun 30 20:11 domain2 -> /var/www/users/domain2 >From root #/var/www/users/ # ls -all total 16 drwxr-xr-x 4 root daemon 512 Jun 30 20:09 . drwxr-xr-x 10 root daemon 512 Jun 30 20:09 .. drwxr-x--- 3 empty www 512 Jun 30 20:12 domain1 drwxr-x--- 3 empty www 512 Jun 30 20:09 domain2 There it is. Works just fine. Permissions are correct and secure(I hope) Johan > 30 juni 2016 kl. 19:54 skrev Alexander Hall <alexan...@beard.se>: > > On Wed, Jun 29, 2016 at 09:37:36PM +0200, Stefan Sperling wrote: >> On Wed, Jun 29, 2016 at 08:15:35PM +0200, Johan Tärnklint wrote: >>> Seeking advice / security tips. >>> >>> Is it safe to create /var/www/htdocs/user1 and symlink to their home folder? >>> >>> Then set permissions to user1:www on /var/www/htdocs/user1 ? >>> >>> Does it break the chroot? Is it safe? Better solution? >> >> It won't work. httpd in chroot cannot read files outside of /var/www, >> so it cannot access /home/user1. >> >> Allowing web access to the full home directory of a user is not a good >> idea anyway. There are configuration files in there, some of which may >> contain sensitive information. Users may make errors while configuring >> permissions for sensitive files, accidentally exposing private information. >> >> Instead, you could do it the other way around: Create a symlink in the >> user's home dir which points to the user's dir in /var/www: >> >> /home/user1/public_html -> /var/www/htdocs/user1 >> >> Now users can place files they want to expose to the web into ~/public_html >> and the web server will be able to read them. >> > > I'm not entirely sure you guys are describing different things. :-) > > - Actual directiry somewhere under /var/www, writable by $USER > - Symlink as whatever (public_html, www, ...) in $HOME/, pointing at > above directory > > If the actual directory is within the chroot, it certainly won't break > no matter how many symlinks you point at it. > > /Alexander
