apache userdir jail permissions

Question

On Debian 8 I'm running apache2 in a jailed environment using jailkit and the userdir mod. In current jail setup users can navigate into another users directory i.e

/home/jail/home/anotheruser

and view files in it but can navigate into folders

I tried jailing users to their home folder using

chmod 0700 /home/jail/home/*

now when i try to navigate into another users directory i get

 Permission denied

But now when I broswe to the users website I get

You don't have permission to access / on this server.

It worked before I did the chmod. So how do I jail user to their home but still allow they websites to be viewed?

I tried adding www-data to a users group

groups test
test : test

usermod -a -G www-data test
groups test
test : test www-data

But still get permission denied.

score 0 · Answer 1 · answered Apr 13 '17 at 13:57

I'm not very clear on how your current environment is set up, but you seem to be confusing chroot ("jailkit") and permissions.

You omitted to tell us anything about the OS this runs on although your paths and reference to jailkit suggest a Unix or Linux system.

People often perceive permissions as a way of preventing access, but they should be thought of as a means for sharing acess in a defined way. Hence...

Many such systems will create a new group for each user (and set this as the default). If this is not the case, then it should be simple to add these groups. Once you have these groups and they are used as the default for each user, then you just need to add the webserver uid to each of the groups, then update the directory permissions to drwxr-x--- and file access to -rw?r-?--- to allow the webserver to read the files but not other users. You should set the users umask accordingly. However:

this may break an existing permissions model if you have one
if you allow users to run scripts in the webserver (Perl, bash, PHP etc) then its trivial for them to bypass the restrictions on read access
if you only allow static content (in the absence of HTTP authentication) the other users can retrieve the files from the webserver

You still need to check the group ownership and apply group read (and execute) permission to the files (and directories) — symcbean, Apr 13 '17 at 16:20

apache userdir jail permissions

1 Answers1