John Richard Moser
nigelenki at comcast.net
Sat Oct 22 15:57:18 CDT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bradley Shuttleworth wrote:
> Grrr - webmail and unintended form-activation.
>
> The second part of that is that the shared folder is per-user (e.g.
> /home/brad and /shared/brad/, with /shared/brad mapped to
> /home/brad/public). This also solves the issue of Apache needing
> access to user's home-dirs (where that's appropriate).
>
Remember, if /home/brad is 0700 and /home/brad/shared/ is 0777, nobody
can read /home/brad to find the inode number for /home/brad/shared even
via symlink.
That being said, having a /home/shared with 01777 permissions and with
/home/brad/shared -> ../shared/brad would have the following advantags:
- The directory exists outside of brad's home, which can't be looked
into anyway
- /home/shared is +t -- the owner of a directory entry is the only one
allowed to unlink it. james can't remove brad's files even though
they're in a 777 directory and chmod 777.
- /home/shared/brad is 0755 probably, while /home/shared/brad files are
also 0644 and directories are 0755.
- /shared would be on /, and /home may be a separate partition in some
advanced configurations
Apache needing access into /home is a whole issue in and of itself; of
course you could configure the UserDir module to look in
/home/shared/www/$USER/public_html I guess. Most users aren't running a
web server; server users may be, but they don't all WANT public_html.
These people become a corner case.
> Brad
>
> On 10/21/05, Bradley Shuttleworth <brad.shuttleworth at gmail.com> wrote:
>
>>Hi,
>>
>>For my R0.02, sharing files is far better managed by having a "public"
>>folder outside the home directory, and mapping it in (via symlinks,
>>etc). That accomplishes the same effect (being able to share files,
>>etc.) without having to resort to having everything world-readable.
>>
>>That way its obvious to the user where the "public" files go, and also
>>that other files _are_ hidden.
>>
>>Brad
>>
>>On 10/21/05, John Nilsson <john at milsson.nu> wrote:
>>
>>>On Fri, 2005-10-21 at 10:00 +0100, Colin Watson wrote:
>>>
>>>>On Thu, Oct 20, 2005 at 02:35:54PM -0700, George Farris wrote:
>>>>
>>>>>Having /home permissions be other than 0700 is a no no IMHO. It always
>>>>>has been on UNIX systems.
>>>>
>>>>No, it really hasn't! The ability for users to conveniently share files
>>>>has always come first in Unix.
>>>
>>>Even so, the implications of having to explicitly allow access to stuff
>>>you want to share is far less than the implications of unknowingly
>>>sharing stuff you thought was safe...
>>>
>>>Regards,
>>>John
>>>
>>>
>>>--
>>>ubuntu-devel mailing list
>>>ubuntu-devel at lists.ubuntu.com
>>>http://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
>>>
>>
>>
>>--
>>Brad Shuttleworth
>>email: brad.shuttleworth at gmail.com
>>blog: http://rabbithole.co.za/
>>
>
>
>
> --
> Brad Shuttleworth
> email: brad.shuttleworth at gmail.com
> blog: http://rabbithole.co.za/
>
- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.
Creative brains are a valuable, limited resource. They shouldn't be
wasted on re-inventing the wheel when there are so many fascinating
new problems waiting out there.
-- Eric Steven Raymond
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDWqethDd4aOud5P8RAigLAJ4s6hazezvuybIHXmttEb7kp9A/QQCcCvSN
pCbQi0gHTOMcsVhTpRX6j9k=
=nUeB
-----END PGP SIGNATURE-----
More information about the ubuntu-devel
mailing list