How to Restrict a User's Access Using SFTP?

azlobo73 azlobo73 at gmail.com
Thu Dec 29 11:32:10 MST 2011 

When installed, depending on your distro and packagement manage system's
post-install process, the psuedo/restricted 'shell' may need to be added to
the /etc/shells or equivalent file to work as a listed shell for a user in
/etc/passwd.  Another such one is called scponly.  One plus with a
non-shell option is that you don't need to set up the jailed environment
quite as much as you would with a shell environment (and since lack of
trust is usually involved, shell access is not usually desirable, but can
be a necessity depending on what the developer needs to do, etc).

Symlinks might well not work (probably not at all as desired) in the chroot
jail ("seeing outside" of the jail for the user logged in might mean broken
symlink in that context, etc).  Therefore I'd move the vhost and  update
the DocumentRoot to point in the new place (or move the user's home to the
vhost - which of these two are more manageable as an admin is the question,
and might also be impacted up partitioning constraints etc).  Note too that
the user's home directory has to then be readable (at least, depending on
web app needs) by apache process's user, so this is not a 'home' in the
usual sense from the point of view of the outer, unjailed environment.

Ben

On Thu, Dec 29, 2011 at 8:27 AM, Lisa Kachold <lisakachold at obnosis.com>wrote:

> Hi Mark,
>
> No, you cannot use a nologin with scp or ssh.
>
> There are a few restricted shells, most notably rssh (which is in apt-get
> for Debian):
>
> http://www.cyberciti.biz/tips/howto-linux-unix-rssh-chroot-jail-setup.html
>
> http://www.cyberciti.biz/tips/rhel-centos-linux-install-configure-rssh-shell.html
>
>
> On Thu, Dec 29, 2011 at 8:04 AM, Mark Phillips <mark at phillipsmarketing.biz
> > wrote:
>
>> Eric,
>>
>> The Debian equivalent to /sbin/nologin appears to be /bin/false. When I
>> tried that, I could not sftp or ssh or gain access to the machine in
>> anyway. I am not sure if there is another Debian shell that allows sftp but
>> not ssh.
>>
>> Thanks!
>>
>> Mark
>>
>> On Wed, Dec 28, 2011 at 9:54 PM, Eric Shubert <ejs at shubes.net> wrote:
>>
>>> That should be ok.
>>>
>>> Be sure you have your ftp server configured such that they cannot access
>>> folders above/across their home folder. File permissions may handle this,
>>> but probably will not (many things are world readable).
>>>
>>> Also, be sure that they cannot login to a command prompt by setting
>>> their login shell to /sbin/nologin (might vary with distro). This is
>>> commonly done for service accounts (apache, etc).
>>>
>>>
>>> On 12/28/2011 03:38 PM, Mark Phillips wrote:
>>>
>>>> Thanks to everyone for their suggestions. Based on some constraints,
>>>> your advice, some googling, I arrived at this set-up, but I am not sure
>>>> how secure it is.
>>>>
>>>> 1. The web creation software (iWeb on a Mac) only supports ftp and sftp
>>>> to upload a site.
>>>> 2. iWeb does not support the use of "versions" for the web pages. By
>>>> that I mean iWeb is strictly one way - create a site and publish it. It
>>>> cannot import an iWeb site, it has to start at the beginning. One can
>>>> create a site and publish it, then edit the site, and publish again, but
>>>> it cannot import or use a previous version of the site as a starting
>>>> point. (I mention this because Eric suggested using git, which sounded
>>>> like a great idea, but alas
>>>>
>>>> I have this setup, but I could use some advice on how to make it more
>>>> secure....
>>>>
>>>> 1. User account fred
>>>> 2. fred's home is /var/www/domain/fred
>>>> 3. /var/www/domain/fred has owner:group fred:fred
>>>> 4. Document root is /var/www/domain/fred
>>>>
>>>> Thanks,
>>>>
>>>> Mark
>>>>
>>>> On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert <ejs at shubes.net
>>>> <mailto:ejs at shubes.net>> wrote:
>>>>
>>>>    On 12/27/2011 10:46 PM, Mark Phillips wrote:
>>>>
>>>>        I need to give a user access to my web server via sftp to upload
>>>> web
>>>>        site changes. What is the best way to do this? I have several
>>>> other
>>>>        sites on the same server, so I want to prevent them or anyone
>>>>        else who
>>>>        gains access to their account from being able to make changes to
>>>>        those
>>>>        sites or other parts of the server.
>>>>
>>>>        Thanks,
>>>>
>>>>        Mark
>>>>
>>>>
>>>>    I use vsftp, which can be configured to allow users access only to
>>>>    their web site's tree. sftp might be able to do the same.
>>>>
>>>>    Then, create their user such that their home directory is their web
>>>>    site's directory, and they cannot log in to the system (only vsftp)
>>>>    with an /etc/passwd entry like this:
>>>>    vsftpuser:x:511:511::/var/__**vhosts/domain.com/docs:/sbin/_**
>>>> _nologin <http://domain.com/docs:/sbin/__nologin>
>>>>    <http://domain.com/docs:/sbin/**nologin<http://domain.com/docs:/sbin/nologin>
>>>> >
>>>>
>>>>
>>>>    Files in their web site are owned by their user, with read
>>>>    permissions for 'other' (o+r), which allows apache (or nginx) to
>>>>    read them.
>>>>
>>>>    --
>>>>    -Eric 'shubes'
>>>>
>>>>
>>>>    ------------------------------**__---------------------
>>>>    PLUG-discuss mailing list - PLUG-discuss at lists.plug.__phoe**
>>>> nix.az.us <http://phoenix.az.us>
>>>>    <mailto:PLUG-discuss at lists.**plug.phoenix.az.us<PLUG-discuss at lists.plug.phoenix.az.us>
>>>> >
>>>>
>>>>    To subscribe, unsubscribe, or to change your mail settings:
>>>>    http://lists.PLUG.phoenix.az._**_us/mailman/listinfo/plug-__**
>>>> discuss
>>>>    <http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
>>>> >
>>>>
>>>>
>>>>
>>>
>>> --
>>> -Eric 'shubes'
>>>
>>> ------------------------------**---------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.**phoenix.az.us<PLUG-discuss at lists.plug.phoenix.az.us>
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
>>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
>
> --
> (602) 791-8002  Android
> (623) 239-3392 Skype
> (623) 688-3392 Google Voice
> **
> HomeSmartInternational.com
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20111229/ad4509f5/attachment.html>

More information about the PLUG-discuss mailing list