Access Control

Access to the data in your web home (the public_html folder in your home directory on the web cluster) through the web server can be restricted easily using .htaccess files:

It is important to know though that all users who have a personal home page or web site on the web cluster can see the files on the file system directly on the login host.

Do not put sensitive data in your web home directory unless you have understood the information below and followed the instructions.

Protecting Data in public_html is Impossible

The web server (programm) runs as the user wwwpeop and needs to read all files that are served as content or otherwise needed, .htaccess for instance. These files all belong to your user.

There are two ways to make sure that wwwpeop can read your files:

  • Make your home directory, the web home and all files therein world readable.
  • Use ACLs to restrict access to files and directories only to yourself and wwwpeop.

The later is only marginally better because it is trivial for any user to install a PHP application in their personal home page that will run as wwwpeop and therefore can see and read all files.

Hiding Data

The only way to protect data is to hide them and use a secret url that only the people who need access know.

This is done the following way:

  1. Create a directory with a secret, unguessable name somewhere in your web home.
  2. Make its parent directory only accessible for your and wwwpeop and disable directory listing.

That way nobody can see the secret directory name. This approach is not perfectly secure but should do well enough for most cases. Make sure that you create one directory per group of users that you want to share data with.

To implement this do the following on the login host:

Create a directory named shared in your public_html directory and set the permissions accordingly:

cd ~/public_html
mkdir shared
chmod 700 shared
setfacl -m user:wwwpeop:x shared
setfacl -m mask::x shared

Decide on a secret directory name. You can use pwgen to create a cryptographically strong secret name:

pwgen 20 1

Create the directory with the secret name in shared:

mkdir shared/`pwgen 20 1`
ls shared

Copy files to this directory and share the URL of the form

https://people.inf.ethz.ch/your_login/shared/secret_name

Prevent Access

The easiest way to make files or whole directories inaccessible through both the web server and the file system is to make them accessible by yourself only. Use the following commands on the login host do disable access to some file or directory:

setfacl -Rb some_file_or_directory
chmod -R go-rwx some_file_or_directory

The first line makes sure that there are no ACLs left.

Page URL: https://isg.inf.ethz.ch/bin/view/Main/HelpWebPersonalHomePageAccessControl
2019-11-18
© 2019 Eidgenössische Technische Hochschule Zürich