0

I'm giving my friend a host on my dedicated server. I created a new user for him:

Debian server.

adduser friend

Adding user `friend' ...
Adding new group `friend' (1000) ...
Adding new user `friend' (1000) with group `friend' ...
Creating home directory `/home/friend' ...
Copying files from `/etc/skel' ...

Problem: He can go to my "/var/www/" directory which contains config files with passwords. And he can simply download my site, which I don't want him to do.

What I need: Set permission, so he can only go to his own directory. And not lurk in my folders.

I want him to only be able to go to /var/www/html/site.com

Anyone has any idea on how this can be done?

Thanks, I really appreciate the help I can get.

DerfK
  • 19,313
  • 2
  • 35
  • 51
Muazam
  • 197
  • 2
  • 10

2 Answers2

1

By default, debian uses the www-data user and www-data group for webservers. If you use chgrp to change the group of your site's files and folders to www-data and then chmod to give group read access and revoke "other" access, apache will be able to access your website's files, but your friend will not have access when he logs in (unless you've added him to the www-data group).

If you have PHP or some other scripting language enabled in the server you're going to have to replace it with suphp or suexec so that your friend can't run scripts as the www-data user. Without that he can write a script or CGI that can read your configuration files for him.

DerfK
  • 19,313
  • 2
  • 35
  • 51
  • Wouldnt it be better to just remove the new user from those groups ? That way you are not messing about with any services on the box – Jon Reeves Apr 20 '11 at 16:58
  • DerfK@ Thanks for the fast reply and spelling correction. I've tried a lot of tutorials and most of them are outdated. Do you have any updated tutorials? Thanks! – Muazam Apr 20 '11 at 18:26
0

You could chroot him in that folder.

See here...

Alex
  • 3,079
  • 20
  • 28
  • Alex@ I tried to follow it, but I don't have the "ssh-dummy-shell" or any of the file. Thanks though. – Muazam Apr 20 '11 at 18:22
  • @Muazam, does this work for you? http://www.debian-administration.org/articles/590 – Alex Apr 21 '11 at 13:20