Generally, I recommend locking down users like this not by setting permissions, but by restricting the services they can use. For example, you should deny SSH logins, configure your FTP server to only let them see their home directory, and do the same with Usermin..

- Jamie

On 31/Jul/2006 10:39 Russ Ferriday wrote ..
I can through all virtual hosts doing this on each user. If I do, dovecot will no longer serve imap for any of those users.

Do you think a basic level of security should be part of the default setup for a virtual server?

John Hinton suggested this change:

Inside of Apache 2 conf.

<IfModule mod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
UserDir disable

This will affect web access to folders, but does not affect local access.

As it is at the moment, when I install two virtual servers, their users can mutually browse directories and files.

--r
On 31 Jul 2006, at 18:21, Jamie Cameron wrote:

Have you tried setting mode 711 instead? That allows anyone to chdir to the directory, but not list it ..

- Jamie

On 31/Jul/2006 10:09 Russ Ferriday wrote ..
For either of the chmod versions, I get the following in /var/log/maillog

Jul 31 16:37:12 air660 dovecot: chdir(/home/topia/homes/russf) failed wi th uid 509: Permission denied
Jul 31 16:37:12 air660 imap-login: Login: russf.topia [::ffff:86.128.111.255]
Jul 31 16:37:12 air660 dovecot: child 25628 (imap) returned error 89

Bear in mind my original problem, also. Users on virtual hosts, can by default read other users' homes, because permissions in general are 755.

Thanks for looking at this.

--r

On 31 Jul 2006, at 17:32, Jamie Cameron wrote:

On 31/Jul/2006 08:34 Russ Ferriday wrote ..

Dovecot does not run as soon as I do either of
chmod o-rx /home/<virtdomain>
or
chmod o-rx /home/<virtdomain>/homes/user

Is there a recommended way of preventing a virt domain user being able to see the data of another virt domain user?


That is quite surprising, as Dovecot usually runs with the permissions of the user
who is logged in via IMAP or POP3. What exact error message are you getting from it?

- Jamie




-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chan ce to share your
opinions on IT & business topics through brief surveys -- and earn cash
Forwarded by the Webmin mailing list at webadmin-list@lists.sourceforge.net
To remove yourself from this list, go to

覧覧覧覧覧覧覧覧覧覧

Russ Ferriday
Topia Systems
tel: (+44) (0) 2076 177758
mobile: (+44) (0) 7789 338868
skype: ferriday