LAMP File and Directory permissions

dashnaam · 08-01-2005, 03:54 PM

I have an interesting question relating to file and directory permissions on a lamp server in a classroom environment.

I'm teaching a php programming class where my students need ssh, sftp access to the server, however I do not want them to be able to see each others files when using these services. Of course they would all be able to see the interpreted results of the program after the application server is finished, but they absolutely cannot see the source code!!! (it would make grading a moot point).

What would be the best way to accomplish the desired result? I'm running fc4 apache 2, php5 and mysql 4.xxx. Currently my DocRoot location is set for /usr/local/apache/htdocs. I was originally thinking of placing home directories under the aforementioned location --> but this cannot be the most secure solution.

Any ideas?? And thanks very much in advance for any/all help!!!

-D

tkedwards · 08-01-2005, 11:17 PM

Code:

# Allow users to have their own public_html directory
UserDir public_html
UserDir disabled root

Now make that directory setgroup id:

Code:

chmod g+s /home/*/public_html
chown :apache /home/*/public_html

In /etc/profile add:

Code:

umask 0027

Now get them to put all their files in their public html directory. And do:

Code:

chmod -R o-rwx /home/*/public_html/

Now If you look in one of their public_html directories you should see permissions similar to this:

Code:

-rwxr-x---  1 tim apache 7000 Jul 19 22:02 index.php*

Where tim is the username, apache is the user that the apache server runs as and there are no permissions for the 'others' group. Now you just have to check that their umasks are 0027
and that they don't change them and that they don't use chmod to add permission for the others group.

If anyone has a cleaner way of doing this please speak up.