Enhanced User Security

From DreamHost
Jump to: navigation, search

The Enhanced User Security setting prevents other users from accessing your home directory. It can be enabled independently for each user in the DreamHost control panel under Users / Manage Users. It is enabled by default.

It is strongly recommended that you only disable this option if you need your files to be accessible to other Dreamhost users (which you really probably don't).

DreamHost is in the process of requiring it to be enabled for all shared hosting users. Currently you can still disable it in the panel, but the system will re-enable it without warning, and eventually that ability to disable it even temporarily will be gone.

Enabled

By default, Enhanced User Security is enabled and sets the user's home directory permissions to rwx--x--- (710) and changes the group to 'adm'. This has the following effects:

  • The user and her/his scripts have the same access to the home directory as when the option is disabled.
  • Other Dreamhost users no longer have any access to your home directory. They cannot enter your home directory or subdirectories or access any files, no matter how lax the permissions are set. Note: The Apache user is in the group 'adm', and thus still has access to the home directory.

Disabled

When disabled, the user's home directory permissions are set to rwxr-x--x (751), with the group set to the user's account group. This has the following effects:

  • The user has full read/write access to her/his own home directory, as do user scripts (such as PHP) which run as the user, by using suEXEC.
  • Other users on the same account also have full read/execute access to the home directory, except that they may not rename, delete or create files or directories. However, they may perform these actions in sub-directories that have group +w permission (e.g. rwxrwx--x or 771).
  • Other Dreamhost users have some limited access to your home directory. They may not read the list of filenames in the home directory, and may not rename, delete or create files or directories. However, they can read any other file or directory listing which is accessible to the web server, assuming they know the path and filename or can guess. They may also read, and possibly write or modify, any file or directory which has too lax permissions set (e.g. 755 or 777).

See also