How to Restrict a User's Access Using SFTP?
Eric Shubert
ejs at shubes.net
Fri Dec 30 11:44:43 MST 2011
vsftpd supports all the same (standard) protocols, and will work with
anything that uses ftp or sftp.
On 12/29/2011 07:46 PM, Mark Phillips wrote:
> Eric,
>
> vsftp is in the Debian repositories, but the developer's tool does not
> use it...only sftp or ftp. The program is iWeb on the mac.
>
> However, the article
> http://www.debian-administration.org/articles/590 did the trick for me!
>
> Mark
>
> On Thu, Dec 29, 2011 at 12:20 PM, Eric Shubert <ejs at shubes.net
> <mailto:ejs at shubes.net>> wrote:
>
> Oops. Sorry Mark. I forgot that you said sftp, which is part of
> OpenSSH. I'm using vsftp, which does not require a login shell.
> Probably why it's considered "very secure". ;) I expect that if
> vsftp is in a debian repo, you could use that instead of sftp.
> vsftpd is stock in the RHEL repos.
>
>
> On 12/29/2011 08:04 AM, Mark Phillips wrote:
>
> Eric,
>
> The Debian equivalent to /sbin/nologin appears to be /bin/false.
> When I
> tried that, I could not sftp or ssh or gain access to the machine in
> anyway. I am not sure if there is another Debian shell that
> allows sftp
> but not ssh.
>
> Thanks!
>
> Mark
>
> On Wed, Dec 28, 2011 at 9:54 PM, Eric Shubert <ejs at shubes.net
> <mailto:ejs at shubes.net>
> <mailto:ejs at shubes.net <mailto:ejs at shubes.net>>> wrote:
>
> That should be ok.
>
> Be sure you have your ftp server configured such that they
> cannot
> access folders above/across their home folder. File
> permissions may
> handle this, but probably will not (many things are world
> readable).
>
> Also, be sure that they cannot login to a command prompt by
> setting
> their login shell to /sbin/nologin (might vary with distro).
> This is
> commonly done for service accounts (apache, etc).
>
>
> On 12/28/2011 03:38 PM, Mark Phillips wrote:
>
> Thanks to everyone for their suggestions. Based on some
> constraints,
> your advice, some googling, I arrived at this set-up,
> but I am
> not sure
> how secure it is.
>
> 1. The web creation software (iWeb on a Mac) only
> supports ftp
> and sftp
> to upload a site.
> 2. iWeb does not support the use of "versions" for the
> web pages. By
> that I mean iWeb is strictly one way - create a site and
> publish
> it. It
> cannot import an iWeb site, it has to start at the
> beginning.
> One can
> create a site and publish it, then edit the site, and
> publish
> again, but
> it cannot import or use a previous version of the site
> as a starting
> point. (I mention this because Eric suggested using git,
> which
> sounded
> like a great idea, but alas
>
> I have this setup, but I could use some advice on how to
> make it
> more
> secure....
>
> 1. User account fred
> 2. fred's home is /var/www/domain/fred
> 3. /var/www/domain/fred has owner:group fred:fred
> 4. Document root is /var/www/domain/fred
>
> Thanks,
>
> Mark
>
> On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert
> <ejs at shubes.net <mailto:ejs at shubes.net>
> <mailto:ejs at shubes.net <mailto:ejs at shubes.net>>
> <mailto:ejs at shubes.net <mailto:ejs at shubes.net>
> <mailto:ejs at shubes.net <mailto:ejs at shubes.net>>>> wrote:
>
> On 12/27/2011 10:46 PM, Mark Phillips wrote:
>
> I need to give a user access to my web server
> via sftp
> to upload web
> site changes. What is the best way to do this? I
> have
> several other
> sites on the same server, so I want to prevent
> them or
> anyone
> else who
> gains access to their account from being able to
> make
> changes to
> those
> sites or other parts of the server.
>
> Thanks,
>
> Mark
>
>
> I use vsftp, which can be configured to allow users
> access
> only to
> their web site's tree. sftp might be able to do the
> same.
>
> Then, create their user such that their home
> directory is
> their web
> site's directory, and they cannot log in to the
> system (only
> vsftp)
> with an /etc/passwd entry like this:
>
>
> vsftpuser:x:511:511::/var/______vhosts/domain.com/docs:/sbin/______nologin <http://domain.com/docs:/sbin/____nologin> <http://domain.com/docs:/sbin/____nologin <http://domain.com/docs:/sbin/__nologin>>
> <http://domain.com/docs:/sbin/____nologin
> <http://domain.com/docs:/sbin/__nologin>
>
> <http://domain.com/docs:/sbin/__nologin
> <http://domain.com/docs:/sbin/nologin>>>
>
>
> Files in their web site are owned by their user,
> with read
> permissions for 'other' (o+r), which allows apache
> (or nginx) to
> read them.
>
> --
> -Eric 'shubes'
>
>
>
> ------------------------------______---------------------
> PLUG-discuss mailing list -
> PLUG-discuss at lists.plug.__phoe____nix.az.us
> <http://phoe__nix.az.us> <http://phoenix.az.us>
> <mailto:PLUG-discuss at lists.
> <mailto:PLUG-discuss at lists.>__p__lug.phoenix.az.us
> <http://plug.phoenix.az.us>
>
> <mailto:PLUG-discuss at lists.__plug.phoenix.az.us
> <mailto:PLUG-discuss at lists.plug.phoenix.az.us>>>
>
> To subscribe, unsubscribe, or to change your mail
> settings:
> http://lists.PLUG.phoenix.az.______us/mailman/listinfo/plug-______discuss
>
> <http://lists.PLUG.phoenix.az.____us/mailman/listinfo/plug-____discuss
> <http://lists.PLUG.phoenix.az.__us/mailman/listinfo/plug-__discuss
> <http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>>>
>
>
>
>
> --
> -Eric 'shubes'
>
> ------------------------------____---------------------
> PLUG-discuss mailing list -
> PLUG-discuss at lists.plug.__phoe__nix.az.us <http://phoenix.az.us>
> <mailto:PLUG-discuss at lists.__plug.phoenix.az.us
> <mailto:PLUG-discuss at lists.plug.phoenix.az.us>>
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.____us/mailman/listinfo/plug-____discuss
> <http://lists.PLUG.phoenix.az.__us/mailman/listinfo/plug-__discuss
> <http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>>
>
>
>
>
> --
> -Eric 'shubes'
>
> ------------------------------__---------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.__phoenix.az.us
> <mailto:PLUG-discuss at lists.plug.phoenix.az.us>
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.__us/mailman/listinfo/plug-__discuss
> <http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
>
>
--
-Eric 'shubes'
More information about the PLUG-discuss
mailing list