Access to the data in your web home
folder in your home directory on the web cluster) through the web server can be restricted easily using .htaccess
It is important to know though that all users who have a personal home page or web site on the web cluster can see the files on the file system directly
on the login host
Protecting Data in
public_html is Impossible
The web server (programm) runs as the user
and needs to read all files that are served as content or otherwise needed,
for instance. These files all belong to your user.
There are two ways to make sure that
can read your files:
- Make your home directory, the web home and all files therein world readable.
- Use ACLs to restrict access to files and directories only to yourself and
The later is only marginally better because it is trivial for any user to install a PHP application in their personal home page that will run as
and therefore can see and read all files.
The only way to protect data is to hide them and use a secret url
that only the people who need access know.
This is done the following way:
- Create a directory with a secret, unguessable name somewhere in your web home.
- Make its parent directory only accessible for your and
wwwpeop and disable directory listing.
That way nobody can see the secret directory name. This approach is not perfectly secure but should do well enough for most cases. Make sure that you create one directory per group of users that you want to share data with.
To implement this do the following on the login host
Create a directory named
directory and set the permissions accordingly:
chmod 700 shared
setfacl -m user:wwwpeop:x shared
setfacl -m mask::x shared
Decide on a secret directory name. You can use
to create a cryptographically strong secret name:
Create the directory with the secret name in
mkdir shared/`pwgen 20 1`
Copy files to this directory and share the URL of the form
The easiest way to make files or whole directories inaccessible through both the web server and the file system is to make them accessible by yourself only. Use the following commands on the login host
do disable access to some file or directory:
setfacl -Rb some_file_or_directory
chmod -R go-rwx some_file_or_directory
The first line makes sure that there are no ACLs left.