How to Restrict a User's Access Using SFTP?
Mark Phillips
mark at phillipsmarketing.biz
Thu Dec 29 19:46:04 MST 2011
Eric,
vsftp is in the Debian repositories, but the developer's tool does not use
it...only sftp or ftp. The program is iWeb on the mac.
However, the article http://www.debian-administration.org/articles/590 did
the trick for me!
Mark
On Thu, Dec 29, 2011 at 12:20 PM, Eric Shubert <ejs at shubes.net> wrote:
> Oops. Sorry Mark. I forgot that you said sftp, which is part of OpenSSH.
> I'm using vsftp, which does not require a login shell. Probably why it's
> considered "very secure". ;) I expect that if vsftp is in a debian repo,
> you could use that instead of sftp. vsftpd is stock in the RHEL repos.
>
>
> On 12/29/2011 08:04 AM, Mark Phillips wrote:
>
>> Eric,
>>
>> The Debian equivalent to /sbin/nologin appears to be /bin/false. When I
>> tried that, I could not sftp or ssh or gain access to the machine in
>> anyway. I am not sure if there is another Debian shell that allows sftp
>> but not ssh.
>>
>> Thanks!
>>
>> Mark
>>
>> On Wed, Dec 28, 2011 at 9:54 PM, Eric Shubert <ejs at shubes.net
>> <mailto:ejs at shubes.net>> wrote:
>>
>> That should be ok.
>>
>> Be sure you have your ftp server configured such that they cannot
>> access folders above/across their home folder. File permissions may
>> handle this, but probably will not (many things are world readable).
>>
>> Also, be sure that they cannot login to a command prompt by setting
>> their login shell to /sbin/nologin (might vary with distro). This is
>> commonly done for service accounts (apache, etc).
>>
>>
>> On 12/28/2011 03:38 PM, Mark Phillips wrote:
>>
>> Thanks to everyone for their suggestions. Based on some
>> constraints,
>> your advice, some googling, I arrived at this set-up, but I am
>> not sure
>> how secure it is.
>>
>> 1. The web creation software (iWeb on a Mac) only supports ftp
>> and sftp
>> to upload a site.
>> 2. iWeb does not support the use of "versions" for the web pages.
>> By
>> that I mean iWeb is strictly one way - create a site and publish
>> it. It
>> cannot import an iWeb site, it has to start at the beginning.
>> One can
>> create a site and publish it, then edit the site, and publish
>> again, but
>> it cannot import or use a previous version of the site as a
>> starting
>> point. (I mention this because Eric suggested using git, which
>> sounded
>> like a great idea, but alas
>>
>> I have this setup, but I could use some advice on how to make it
>> more
>> secure....
>>
>> 1. User account fred
>> 2. fred's home is /var/www/domain/fred
>> 3. /var/www/domain/fred has owner:group fred:fred
>> 4. Document root is /var/www/domain/fred
>>
>> Thanks,
>>
>> Mark
>>
>> On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert <ejs at shubes.net
>> <mailto:ejs at shubes.net>
>> <mailto:ejs at shubes.net <mailto:ejs at shubes.net>>> wrote:
>>
>> On 12/27/2011 10:46 PM, Mark Phillips wrote:
>>
>> I need to give a user access to my web server via sftp
>> to upload web
>> site changes. What is the best way to do this? I have
>> several other
>> sites on the same server, so I want to prevent them or
>> anyone
>> else who
>> gains access to their account from being able to make
>> changes to
>> those
>> sites or other parts of the server.
>>
>> Thanks,
>>
>> Mark
>>
>>
>> I use vsftp, which can be configured to allow users access
>> only to
>> their web site's tree. sftp might be able to do the same.
>>
>> Then, create their user such that their home directory is
>> their web
>> site's directory, and they cannot log in to the system (only
>> vsftp)
>> with an /etc/passwd entry like this:
>>
>> vsftpuser:x:511:511::/var/____**vhosts/domain.com/docs:/sbin/_**
>> ___nologin <http://domain.com/docs:/sbin/____nologin> <
>> http://domain.com/docs:/sbin/**__nologin<http://domain.com/docs:/sbin/__nologin>
>> >
>> <http://domain.com/docs:/sbin/**__nologin<http://domain.com/docs:/sbin/__nologin>
>>
>> <http://domain.com/docs:/sbin/**nologin<http://domain.com/docs:/sbin/nologin>
>> >>
>>
>>
>> Files in their web site are owned by their user, with read
>> permissions for 'other' (o+r), which allows apache (or nginx)
>> to
>> read them.
>>
>> --
>> -Eric 'shubes'
>>
>>
>> ------------------------------**____---------------------
>> PLUG-discuss mailing list -
>> PLUG-discuss at lists.plug.__phoe**__nix.az.us<http://phoe__nix.az.us><
>> http://phoenix.az.us>
>> <mailto:PLUG-discuss at lists.__p**lug.phoenix.az.us<http://plug.phoenix.az.us>
>>
>> <mailto:PLUG-discuss at lists.**plug.phoenix.az.us<PLUG-discuss at lists.plug.phoenix.az.us>
>> >>
>>
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az._**___us/mailman/listinfo/plug-__**
>> __discuss
>>
>> <http://lists.PLUG.phoenix.az.**__us/mailman/listinfo/plug-__**
>> discuss
>> <http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
>> >>
>>
>>
>>
>>
>> --
>> -Eric 'shubes'
>>
>> ------------------------------**__---------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.__phoe**nix.az.us<http://phoenix.az.us>
>> <mailto:PLUG-discuss at lists.**plug.phoenix.az.us<PLUG-discuss at lists.plug.phoenix.az.us>
>> >
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az._**_us/mailman/listinfo/plug-__**discuss
>> <http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
>> >
>>
>>
>>
>
> --
> -Eric 'shubes'
>
> ------------------------------**---------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.**phoenix.az.us<PLUG-discuss at lists.plug.phoenix.az.us>
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20111229/66f34698/attachment.html>
More information about the PLUG-discuss
mailing list