LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-03-2006, 10:08 AM   #1
erat123
Member
 
Registered: Oct 2006
Distribution: Ubuntu
Posts: 69

Rep: Reputation: 16
virtual folders.. is it possible?


hi all,
i'm in the process of setting up a web hosting service for some of my friends. they're going to have their own domains and logins. i'm running ubuntu linux (server) on all the machines.

i would like to configure a samba server to control user and group rights. this is what i'm stuck on:

i want to make kind of a virtual folder. when the user logs on to the system via ftp, i want them to be able to see ONLY their folders and nobody else's. i know if i deny them access, it will also work (i'm planning on that too) but this is mainly for their ease of use.

also, let's say bob has folders in "/var/www/users/bob" and "/var/www/groups/bobsGroup" here, they're in different areas, but i want them to appear as if they're in the same.

if that doesnt work, that's ok, i really just want a way to hide all the folders that dont belong to a specific person.

i know hiding folders like this is possible under novell, but i'm not sure if it is under linux.

thanks for any advice or help!
Eric
 
Old 10-03-2006, 04:17 PM   #2
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 335Reputation: 335Reputation: 335Reputation: 335
If I understand your requirement you are asking for the default behavior of ftp. If someone connects to a server via ftp and logs in to an account on the server they will be placed in the home directory of the account that they logged on as. If you use a secure ftp server such as vsftp then the user will be locked into their home directory.

If you want people to be able to see other directories that are not under their home directory then you could create links in the home directory to the new directory. However this could destroy your ability to capture the log in session to the home directory.
Example:
If you have an account named user1 with a home directory at /home/user1 and another directory at /www/user1 then you could do this.
Code:
cd /home/user1
ln -s /www/user1 www
This will create a link in the /home/user1 directory called www. This link will point to /www/user1. If you are in the /home/user1 directory you can cd into www and you will be in /www/user1.

It might be more secure to implement the above file structure as having the www directory under the home directory of each user and then create links under /www to the /home/user1/www directory of each user. So the /www directory would have links to each user's /home/*/www directory.
Code:
mkdir /home/user1/www
mkdir /home/user2/www
ln -s /home/user1/www /www/user1
ln -s /home/user2/www /www/user2
I think this method is more secure because there are no links from inside the user's www directory to some place outside of their home directory.

Last edited by stress_junkie; 10-03-2006 at 04:35 PM.
 
Old 10-04-2006, 09:14 PM   #3
erat123
Member
 
Registered: Oct 2006
Distribution: Ubuntu
Posts: 69

Original Poster
Rep: Reputation: 16
thanks for the quick reply! thats a really great idea w/ the shortcuts. i guess i wasnt very clear when i asked my question to begin with.

This web hosting I'm setting up: I would like to allow my friends to set up a website as a whole, but allow them to have their own space and space for just a few of them. For example:

John
Ben
Erin
Bill

these are the people making the site called mysite.com

John and Ben are working together to design the interface, and Erin and Bill are working on the programming.

John and Ben both have their own separate folders, but they also share one with eachother.

Erin and Bill both have their own separate folders, but they share one with eachother.

All 4 people also share a third folder for the final web site.

I think the shortcuts will work, I havent tried it yet. Does that sound like the best route to take to make this work, or are there any other recommendations?

Thanks!
Eric
 
Old 10-04-2006, 09:32 PM   #4
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 335Reputation: 335Reputation: 335Reputation: 335
I have to think about it. I'll rewrite this post when I have an answer. That'll probably be some time tomorrow.

---

Still thinking.

Last edited by stress_junkie; 10-05-2006 at 11:44 AM.
 
Old 10-05-2006, 12:08 AM   #5
erat123
Member
 
Registered: Oct 2006
Distribution: Ubuntu
Posts: 69

Original Poster
Rep: Reputation: 16
Thanks for taking the time to help me out! I'm looking forward to your reply.
 
Old 10-05-2006, 02:35 AM   #6
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Ubuntu 12.04, Antix19.3
Posts: 3,794

Rep: Reputation: 282Reputation: 282Reputation: 282
With reagrds to the webserver part:
Apache supports virtual hosts. Each host can point to a different document-root. Let them point to a subdirectory in the users home directory. Something like:
Code:
/home
  |
  +-- user1
  |     |
  |     +-- http      // user's normal web directory
  |     +-- https     // user's secure web directory
  |
  +-- user2
        |
        +-- http      // user's normal web directory
        +-- https     // user's secure web directory
Users can upload webpages to their home directories and subdirectories, but web pages will be served from http and/or https so visitors will never have access to the users 'root' directory. Apache however has (which is a good thing) access there, so your friend's customers can hide stuff (i.e. php code with passwords) there.

If your friends ever need to provide secure http to their customers, you have to use IP-based virtual hosting and you can not use name-based virtual hosting.
For that you need to give your network card multiple IP addresses (or use multiple network cards).
 
Old 10-05-2006, 05:23 PM   #7
erat123
Member
 
Registered: Oct 2006
Distribution: Ubuntu
Posts: 69

Original Poster
Rep: Reputation: 16
I've been thinking of thoes shortcuts you can make. I really like that idea, but I'm lost on one part.

Lets say i have a user named John. John has access to his personal web page (/var/www/wusr/john/personal) and he is also in a group w/ Sarah. Together, they have their own website at /var/www/wgrp/john-sarah/www. When John logs in, his home directory is at /var/www/wusr/john. and using links (shortcuts) he will see the folders personal and john-sarah. Now, here's the problem i have. if he decides to goto john-sarah, he can do so, but when he does a "cd .." he wont be able to go back.

i dont know if i can create an alias of some sort or something, but does anyone have any ideas on how to fix this. this would really be a neat way to do this!
 
Old 10-05-2006, 08:10 PM   #8
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 335Reputation: 335Reputation: 335Reputation: 335
This is a job for user groups. I always make a user group for each user account. Then I do something that Linux and Unix don't like. I make that individual user group the primary group for the account and I make the users group a secondary group for each account. You can also make a user group for any group of files that needs to be accessed by a specific list of people. Here's an example.
Code:
root> groupadd test
root>
root> useradd -m -g test -G users -s /bin/bash test
root> groups test
test : test users
root>
The reason that I do that is so that when the user creates a file it will have the group ownership of the user account, not the users group. Once you have that it is easy to limit file access to one user account.

Now as far as the common area shared by john and sarah, you just create a user group for that combination.
Code:
root> groupadd john-sarah
root> grep john-sarah /etc/group
john-sarah:!:1010:
Now you can create a directory, give it group ownership of john-sarah, and give both the john account and the sarah account group membership in john-sarah. The only problem will be when either john or sarah create a new file it will have the group ownership of their primary group membership. They will have to use the chgrp command to change the group ownership of their newly created files to john-sarah.
Code:
john> touch test.tmp
john> ls -l test.tmp
-rw------- 1 john john 0 2006-10-05 20:57 test.tmp
john> chgrp john-sarah test.tmp
john> ls -l test.tmp
-rw------- 1 john john-sarah 0 2006-10-05 20:57 test.tmp
john>
You could put that into their .bash_logout as in
Code:
chgrp -R john-sarah /var/www/wgrp/john-sarah/www/*
Then the accounts should have a umask like 770 so that only owner and group accounts can see the files. The same thing goes for the directories. That will prevent people from going to the directory with all of the links and following one to some place that they are not authorized to access.

As far as the cd .. goes the bash shell keeps track of the path that you took into a directory so you will go back on the same path. For example, I have a user directory that has a link in its home directory to /home/download. This is what it looks like from that user account.
Code:
john> pwd
/home/john
john> ls -ld download
lrwxrwxrwx 1 john john 14 2006-09-18 15:08 download -> /home/download
john> cd download
john> pwd
/home/john/download
john> cd ..
john> pwd
/home/john
I hope that clears a few issues for you.
 
Old 10-10-2006, 10:24 AM   #9
erat123
Member
 
Registered: Oct 2006
Distribution: Ubuntu
Posts: 69

Original Poster
Rep: Reputation: 16
thanks stress_junkie and everyone else that helped me out! this really was helpfull! linuxquestions.org rules!!!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftpd, web uploads, vsftpd virtual users, apache virtual hosts, home directories jerryasher Linux - Software 7 02-18-2007 06:29 AM
symlinks from folders to folders? vbsaltydog Linux - Newbie 4 04-03-2006 01:51 PM
Samba can create new files and folders but access denied in any new folders k.king Linux - Networking 2 01-15-2006 06:14 AM
virtual users and virtual host need to stay at /home nephish Linux - Networking 3 01-14-2006 01:36 PM
Virtual Folders mrsolo Linux - Software 5 04-25-2003 09:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration