So, for my clients to who have sites hosted on my server, I create user accounts, with standard home folders inside /home.

I setup an SSH jail for all the collective users, because I really am against using a separate FTP server. Then, I installed ACL and added acl to my /etc/fstab — all good.

1. I cd into /home and chmod 700 ./*.
   • At this point users cannot see into other users home directories (yay), but apache can't see them either (boo)
   • . I ran setfacl u:www-data:rx ./*. I also tried individual directories.
   • Now apache can see the sites again, but so can all the users. ACL changed the permissions of the home folders to 750.

How do I setup ACL's so that Apache can see the sites hosted in user's home folders AND 2. Users can't see outside their home and into others' files.

Edit: more details:

Output after chmod -R 700 ./*

sh-3.2# chmod 700 ./*
sh-3.2# ls -l
total 72
drwx------+ 24 austin  austin     4096 Jul 31 06:13 austin
drwx------+  8 jeremy  collective 4096 Aug  3 03:22 jeremy
drwx------+ 12 josh    collective 4096 Jul 26 02:40 josh
drwx------+  8 joyce   collective 4096 Jun 30 06:32 joyce

(Not accessible to others users OR apache)

setfacl -m u:www-data:rx jeremy

(Now accessible to members apache and collective — why collective, too?)

sh-3.2# getfacl jeremy 
# file: jeremy
# owner: jeremy
# group: collective
user::rwx
user:www-data:r-x
group::r-x
mask::r-x
other::---

Solution

Ultimately what I did was:

chmod 755 *
setfacl -R -m g::--- *
setfacl -R -m u:www-data:rx *