Allow access in home directory for apache but not other users?

Aron asked:

I build a website that automatically manages a dedicated server. It does all sorts of things like creating users and apache settings to point to their home directory.

The home directories host game binaries, and the home folder can be accessed from the web, but only non-essential resource files (.wav .mdl .spr etc) can be accessed, that’s how apache is configured. So for this to work, I need execute and read permissions on all files.

The problem is that binaries run in one user’s home folder can access other users’ home folder, read and write to files in there.

How can I make a user’s home directory unaccessible to anyone else but him and via apache?
Here’s what the folder tree looks like: (no rep to show image directly)

My answer:

Set an ACL on each user’s home directory, to which Apache needs access. This lets you avoid silly tricks with groups, which can actually cause more problems than they solve.

For example:

setfacl -R -m u:httpd:rx,d:u:httpd:rx /home/username

will allow the httpd user to read everything in that directory, including subdirectories and any newly created files.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.