Enhanced User Security

From DreamHost
Jump to: navigation, search

Overview

The Enhanced User Security setting prevents other users from accessing your home directory. This setting is enabled by default for every user created. You can find this setting on the > ‘Users’ > ‘Manage Users’) page in the DreamHost panel by clicking the Edit button for the user you wish to change.

01 EnhancedUserSecurity.fw.png

As you can see, the setting is just a box that needs to be checked in order for it to be active. Make sure to click the Save Changes button at the bottom of the page to save that change. (The learn more link will direct users to this article.)


It is strongly recommended that you keep this security setting enabled to prevent other users from accessing your files.

Enabled

By default, Enhanced User Security is enabled and sets the user's home directory permissions to '710' and changes the group to 'adm':

drwx--x---  18 user1                     	adm    	4096 Jan 12 14:05 user1

This has the following effects:

  • The user and their scripts have the same access to the home directory as when the option is disabled.
  • Other Dreamhost users no longer have any access to your home directory. They cannot enter your home directory or subdirectories or access any files, no matter how lax the permissions are set.
Note2 icon.png Note: The Apache user is in the group 'adm', and thus still has access to the home directory.


Disabled

When this setting is manually disabled, the user's home directory permissions are set to '751', with the group set to the user's account group shown as ‘pgXXXXXXX’ (the ‘X’ being variables for the group specific ID number):

drwxr-x--x   6 user2                      	pgXXXXXXX  4096 Nov  4  2013 user2


This has the following effects:

  • The user has full read/write access to their own home directory, as do user scripts (such as PHP) which run as the user.
  • Other users on the same account also have full read/execute access to the home directory, except that they may not rename, delete or create files or directories. However, they may perform these actions in sub-directories that have group +w permission (e.g., users set with ‘771’ (rwxrwx--x) permissions).
  • Other DreamHost users have some limited access to your home directory. They may not read the list of filenames in the home directory, and may not rename, delete or create files or directories. However, they can read any other file or directory listing accessible to the web server, assuming they know the path and filename or can guess. They may also read, and possibly write, any file or directory that has lax permissions set; for example, users set with ‘755’ (rwxr-xr-x) or ‘777’ (rwxrwxrwx).