I build a website that automatically manages a dedicated server. It does all sorts of things like creating users and apache settings to point to their home directory.
The home directories host game binaries, and the home folder can be accessed from the web, but only non-essential resource files (.wav .mdl .spr etc) can be accessed, that’s how apache is configured. So for this to work, I need execute and read permissions on all files.
The problem is that binaries run in one user’s home folder can access other users’ home folder, read and write to files in there.
How can I make a user’s home directory unaccessible to anyone else but him and via apache?
Here’s what the folder tree looks like:
http://i.imgur.com/LVFMle2.png (no rep to show image directly)
Set an ACL on each user’s home directory, to which Apache needs access. This lets you avoid silly tricks with groups, which can actually cause more problems than they solve.
setfacl -R -m u:httpd:rx,d:u:httpd:rx /home/username
will allow the
httpd user to read everything in that directory, including subdirectories and any newly created files.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.