On Thu, Jun 30, 2016 at 08:21:12PM +0200, Johan Tärnklint wrote: > Ok thank you. > > If I understod you right here is what I have done > > From my user. > > ls -all
(second 'l' is excessive) > > lrwxr-xr-x 1 root empty 27 Jun 30 20:11 domain1 -> > /var/www/users/domain1 > lrwxr-xr-x 1 root empty 24 Jun 30 20:11 domain2 -> > /var/www/users/domain2 > > From root > > #/var/www/users/ > # ls -all > total 16 > drwxr-xr-x 4 root daemon 512 Jun 30 20:09 . > drwxr-xr-x 10 root daemon 512 Jun 30 20:09 .. > drwxr-x--- 3 empty www 512 Jun 30 20:12 domain1 > drwxr-x--- 3 empty www 512 Jun 30 20:09 domain2 > > There it is. Works just fine. Permissions are correct and secure(I hope) Assuming your user is called 'empty' and the ownership and permissions on files in the domain* directories follow the same pattern as the directories, I'd say so. > > Johan > > > > 30 juni 2016 kl. 19:54 skrev Alexander Hall <alexan...@beard.se>: > > > > On Wed, Jun 29, 2016 at 09:37:36PM +0200, Stefan Sperling wrote: > >> On Wed, Jun 29, 2016 at 08:15:35PM +0200, Johan Tärnklint wrote: > >>> Seeking advice / security tips. > >>> > >>> Is it safe to create /var/www/htdocs/user1 and symlink to their home > folder? > >>> > >>> Then set permissions to user1:www on /var/www/htdocs/user1 ? > >>> > >>> Does it break the chroot? Is it safe? Better solution? > >> > >> It won't work. httpd in chroot cannot read files outside of /var/www, > >> so it cannot access /home/user1. > >> > >> Allowing web access to the full home directory of a user is not a good > >> idea anyway. There are configuration files in there, some of which may > >> contain sensitive information. Users may make errors while configuring > >> permissions for sensitive files, accidentally exposing private > information. > >> > >> Instead, you could do it the other way around: Create a symlink in the > >> user's home dir which points to the user's dir in /var/www: > >> > >> /home/user1/public_html -> /var/www/htdocs/user1 > >> > >> Now users can place files they want to expose to the web into > ~/public_html > >> and the web server will be able to read them. > >> > > > > I'm not entirely sure you guys are describing different things. :-) > > > > - Actual directiry somewhere under /var/www, writable by $USER > > - Symlink as whatever (public_html, www, ...) in $HOME/, pointing at > > above directory > > > > If the actual directory is within the chroot, it certainly won't break > > no matter how many symlinks you point at it. > > > > /Alexander
