Re: Quarantining web content creators

[Dan Harnett <danh@wzrd.com>]

On Thu, Sep 18, 2003 at 11:38:16PM +1000, David Purdue wrote:
[... snip! ...]
> Now, what I want is that the folks in groupa should not be able to
> see what is in groupb's web site and vice versa.
> 
> So I set up two groups in /etc/group:
> 
> groupa:*:5001:usera1,usera2,www
> groupb:*:5002:userb1,userb2,www
> 
> And I set permissions on the htdocs directories...
> 
> drwxr-x---   3 usera1  groupa   512 Jun 21 16:30 groupa/
> drwxr-x---   3 userb1  groupb   512 Jun 21 16:30 groupb/
[... snip! ...]

Try a different approach.  Put usera1 and userb1 in the same group, then
remove all group privileges.

  drwx---r-x   3 usera1  sites   512 Jun 21 16:30 groupa/
  drwx---r-x   3 userb1  sites   512 Jun 21 16:30 groupb/

usera1 still has full privileges on the groupa directory, while anyone
in the sites group has none.  The permissions should be enforced with
the proper umask (075), The user apache runs as by default under openbsd
(www) will still be able to read the directory just fine.

This means CGI programs and PHP scripts (or similar) which run with the
privileges of the www user, will be able to read those directories as
well.  Care should be given to these as well if you allow their use
(various CGI wrappers, PHP safe mode, etc).