<div dir="auto"><div>I think a lot of this could be made a lot easier with Ansible and Jinja templates.</div><div><br></div><div data-smartmail="gmail_signature">--<br>Thanks,<br>Alexander<br><br>Sent from my Google Pixel 7 Pro</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Oct 22, 2024, 13:39 Keith Smith via PLUG-discuss <<a href="mailto:plug-discuss@lists.phxlinux.org">plug-discuss@lists.phxlinux.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thank You Everyone!!<br>
<br>
Seems the problem was I needed to uncomment "PasswordAuthentication <br>
yes". When creating a user with SSH ability.<br>
<br>
Keith<br>
<br>
<br>
<br>
On 2024-10-22 10:46, Rusty Carruth via PLUG-discuss wrote:<br>
> ChatGPT gave a more complete answer than I do below (the question was: <br>
> This person is using vhost, and thinks he wants to chroot to the <br>
> docroot of the vhost when the user logs in. What do you think of that?)<br>
> <br>
> (I never thought I'd be pointing people to an AI for answers! ;-)<br>
> <br>
> <br>
> On 10/22/24 10:42, Rusty Carruth via PLUG-discuss wrote:<br>
>> One thing I don't understand, below.<br>
>> <br>
>> On 10/22/24 10:25, Keith Smith via PLUG-discuss wrote:<br>
>>> Hi,<br>
>>> <br>
>>> I appreciate all the feedback. There is more to the story.<br>
>>> <br>
>>> ....<br>
>>> <br>
>>> The 3 things I think I need to accomplish:<br>
>>> <br>
>>> 1) Add a user and configure it to use SSH.<br>
>>> 2) Configure each vhost to use PHP-FPM.<br>
>>> 3) Limit the User to the docroot of it's virtual host. <br>
>>> (ChrootDirectory)<br>
>>> <br>
>> I don't understand # 3. Let me say what I think you said: you have <br>
>> (some number of) virtual machines. Or do you mean that thing that <br>
>> allows you to run more than one web address from the same IP address? <br>
>> In either case, why do you need to chroot to docroot? You do realize <br>
>> that docroot must then have EVERYTHING the user needs - all programs, <br>
>> all devices, everything. So you're going to need /dev, /bin, <br>
>> /usr/bin, and so forth or the user will be dead in the water with no <br>
>> commands - shoot, not even bash will be there to try to type commands!<br>
>> <br>
>> If you're doing the chroot already, and its failing, then that's <br>
>> probably because bash isn't there, nor is anything else you need...<br>
>> <br>
>>> I am using a clone of the LAMP server so I am going to remove it and <br>
>>> create another close and start by trying to create a use that has SSH <br>
>>> access and a home directory.<br>
>>> <br>
>> If you are using virtual machines, just clone it in the virtual <br>
>> machine - but then, I'm thinking you don't mean virtual machine, you <br>
>> mean that other thing :-)<br>
>>> Then I think I should work on limiting that user to the vhost that is <br>
>>> designated to work with.<br>
>>> <br>
>>> <br>
>> So, if you mean not virtual machine but that other thing, then you're <br>
>> either going to have to copy all the stuff I talk about above in to <br>
>> the docroot tree (which I still think will cause more problems than it <br>
>> will fix), or mount the stuff above inside the docroot, or figure out <br>
>> how to change permissions and ownership so that the user can only <br>
>> change the stuff in their docroot. Perhaps group ownership can save <br>
>> the day here, assuming you want ALL files in ALL web servers to be <br>
>> owned by whoever is running Apache, then create 2 or more groups, <br>
>> change all group ownership to the NON-User group, then<br>
>> <br>
>> change group ownership of all files in your docroot to the group of <br>
>> the user (obviously you're going to have to change the user to have <br>
>> that group too), then change permissions to something like 770 for all <br>
>> directories everywhere (or 775, or whatever) and 660 for all files. <br>
>> Done, supposedly ;-)<br>
>> <br>
>>> <br>
>>> Then finish up by installing configuring the vhost to use PHP-FPM.<br>
>>> <br>
>>> Any thought are much appreciated!!<br>
>>> <br>
>>> Keith<br>
>>> <br>
>>> <br>
>> ---------------------------------------------------<br>
>> PLUG-discuss mailing list: <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank" rel="noreferrer">PLUG-discuss@lists.phxlinux.org</a><br>
>> To subscribe, unsubscribe, or to change your mail settings:<br>
>> <a href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer noreferrer" target="_blank">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
> ---------------------------------------------------<br>
> PLUG-discuss mailing list: <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank" rel="noreferrer">PLUG-discuss@lists.phxlinux.org</a><br>
> To subscribe, unsubscribe, or to change your mail settings:<br>
> <a href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer noreferrer" target="_blank">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
---------------------------------------------------<br>
PLUG-discuss mailing list: <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank" rel="noreferrer">PLUG-discuss@lists.phxlinux.org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer noreferrer" target="_blank">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
</blockquote></div>