1

I create a system for multiple web masters for storing and serve their websites. They have their linux accounts and home directories. Their public_html folders are linked via ln -s command to webserver html directory /usr/share/nginx/html/ so they are visible in internet.

But users can watch home folders of other users. I would like to prevent them from watching folders that are not theirs.

How to get it?

Here are privileges info of the user.

abc@localhost:/home/gameboy$ sudo namei -mo /home/abc/public_html/info.php 
[sudo] password for abc: 
f: /home/abc/public_html/info.php
 drwxr-xr-x root root /
 drwxr-xr-x root root home
 drwxr-xr-x abc  abc  abc
 drwxr-xr-x abc  abc  public_html
 -rw-r--r-- abc  abc  info.php
abc@localhost:/home/gameboy$ id abc
uid=1002(abc) gid=1002(abc) grupy=1002(abc),27(sudo)
abc@localhost:/home/gameboy$
trzczy
  • 173
  • 1
  • 1
  • 8

1 Answers1

2

I can see that the user abc is a member of sudo group. This means (at least on Ubuntu systems) that this user the ability to execute commands with sudo (gain root access).

If this applies to all users you are talking about, then you can not prevent them from accessing others' files. The user can simply become root and do whatever he/she wants to do.

If we skip this point, you need to set each file/folder permissions so that it is only readable/writable by the user and readable only by specific group like www-data to enable web server to access them (chmod 750 for folders and chmod 740 for files).

Khaled
  • 36,533
  • 8
  • 72
  • 99
  • Thanks for the good answer :) I'd suggest - adding to your answer - *remove users from `sudo` group* – Yaron Feb 23 '17 at 13:00