How to Restrict a User's Access Using SFTP?

Mark Phillips mark at phillipsmarketing.biz
Thu Dec 29 08:00:16 MST 2011 

Ben

Thanks - that worked very well and looks very secure.

Which method is more secure/"the right way" to set up users with web
publishing rights -
a. create a link from a user's directory to a document root at
/var/www/domain/user
b. change document root to /home/user/www/site

Mark

On Thu, Dec 29, 2011 at 12:37 AM, azlobo73 <azlobo73 at gmail.com> wrote:

> Sorry - built-in OpenSSH chroot functionality
>
>
> On Thu, Dec 29, 2011 at 12:36 AM, azlobo73 <azlobo73 at gmail.com> wrote:
>
>> If you can either relocate the vhost or the user home directory, then
>> this might be of some help, which explains using built-in chroot
>> functionality with sftp access to restrict access and visibility:
>> http://www.debian-administration.org/articles/590
>>
>> Ben
>>
>>
>> On Wed, Dec 28, 2011 at 9:54 PM, Eric Shubert <ejs at shubes.net> wrote:
>>
>>> That should be ok.
>>>
>>> Be sure you have your ftp server configured such that they cannot access
>>> folders above/across their home folder. File permissions may handle this,
>>> but probably will not (many things are world readable).
>>>
>>> Also, be sure that they cannot login to a command prompt by setting
>>> their login shell to /sbin/nologin (might vary with distro). This is
>>> commonly done for service accounts (apache, etc).
>>>
>>>
>>> On 12/28/2011 03:38 PM, Mark Phillips wrote:
>>>
>>>> Thanks to everyone for their suggestions. Based on some constraints,
>>>> your advice, some googling, I arrived at this set-up, but I am not sure
>>>> how secure it is.
>>>>
>>>> 1. The web creation software (iWeb on a Mac) only supports ftp and sftp
>>>> to upload a site.
>>>> 2. iWeb does not support the use of "versions" for the web pages. By
>>>> that I mean iWeb is strictly one way - create a site and publish it. It
>>>> cannot import an iWeb site, it has to start at the beginning. One can
>>>> create a site and publish it, then edit the site, and publish again, but
>>>> it cannot import or use a previous version of the site as a starting
>>>> point. (I mention this because Eric suggested using git, which sounded
>>>> like a great idea, but alas
>>>>
>>>> I have this setup, but I could use some advice on how to make it more
>>>> secure....
>>>>
>>>> 1. User account fred
>>>> 2. fred's home is /var/www/domain/fred
>>>> 3. /var/www/domain/fred has owner:group fred:fred
>>>> 4. Document root is /var/www/domain/fred
>>>>
>>>> Thanks,
>>>>
>>>> Mark
>>>>
>>>> On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert <ejs at shubes.net
>>>> <mailto:ejs at shubes.net>> wrote:
>>>>
>>>>    On 12/27/2011 10:46 PM, Mark Phillips wrote:
>>>>
>>>>        I need to give a user access to my web server via sftp to upload
>>>> web
>>>>        site changes. What is the best way to do this? I have several
>>>> other
>>>>        sites on the same server, so I want to prevent them or anyone
>>>>        else who
>>>>        gains access to their account from being able to make changes to
>>>>        those
>>>>        sites or other parts of the server.
>>>>
>>>>        Thanks,
>>>>
>>>>        Mark
>>>>
>>>>
>>>>    I use vsftp, which can be configured to allow users access only to
>>>>    their web site's tree. sftp might be able to do the same.
>>>>
>>>>    Then, create their user such that their home directory is their web
>>>>    site's directory, and they cannot log in to the system (only vsftp)
>>>>    with an /etc/passwd entry like this:
>>>>    vsftpuser:x:511:511::/var/__**vhosts/domain.com/docs:/sbin/_**
>>>> _nologin <http://domain.com/docs:/sbin/__nologin>
>>>>    <http://domain.com/docs:/sbin/**nologin<http://domain.com/docs:/sbin/nologin>
>>>> >
>>>>
>>>>
>>>>    Files in their web site are owned by their user, with read
>>>>    permissions for 'other' (o+r), which allows apache (or nginx) to
>>>>    read them.
>>>>
>>>>    --
>>>>    -Eric 'shubes'
>>>>
>>>>
>>>>    ------------------------------**__---------------------
>>>>    PLUG-discuss mailing list - PLUG-discuss at lists.plug.__phoe**
>>>> nix.az.us <http://phoenix.az.us>
>>>>    <mailto:PLUG-discuss at lists.**plug.phoenix.az.us<PLUG-discuss at lists.plug.phoenix.az.us>
>>>> >
>>>>
>>>>    To subscribe, unsubscribe, or to change your mail settings:
>>>>    http://lists.PLUG.phoenix.az._**_us/mailman/listinfo/plug-__**
>>>> discuss
>>>>    <http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
>>>> >
>>>>
>>>>
>>>>
>>>
>>> --
>>> -Eric 'shubes'
>>>
>>> ------------------------------**---------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.**phoenix.az.us<PLUG-discuss at lists.plug.phoenix.az.us>
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
>>>
>>
>>
>>
>> --
>> ---
>> Ben
>>
>> python -c "exec(\"import math\\nprint ''.join(map(lambda x: chr(x), (
>> (ord('a')-(3*5)), int(math.sqrt(math.pi*76)*5+2),
>> int(math.ceil(math.e)*28), int(math.floor(math.e)*35),
>> long(abs(4%3*35+3)*2))))\")"**
>>
>>
>
>
> --
> ---
> Ben
>
> python -c "exec(\"import math\\nprint ''.join(map(lambda x: chr(x), (
> (ord('a')-(3*5)), int(math.sqrt(math.pi*76)*5+2),
> int(math.ceil(math.e)*28), int(math.floor(math.e)*35),
> long(abs(4%3*35+3)*2))))\")"**
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20111229/d4be4a66/attachment.html>

More information about the PLUG-discuss mailing list