If you can either relocate the vhost or the user home directory, then this might be of some help, which explains using built-in chroot functionality with sftp access to restrict access and visibility: http://www.debian-administration.org/articles/590 Ben On Wed, Dec 28, 2011 at 9:54 PM, Eric Shubert wrote: > That should be ok. > > Be sure you have your ftp server configured such that they cannot access > folders above/across their home folder. File permissions may handle this, > but probably will not (many things are world readable). > > Also, be sure that they cannot login to a command prompt by setting their > login shell to /sbin/nologin (might vary with distro). This is commonly > done for service accounts (apache, etc). > > > On 12/28/2011 03:38 PM, Mark Phillips wrote: > >> Thanks to everyone for their suggestions. Based on some constraints, >> your advice, some googling, I arrived at this set-up, but I am not sure >> how secure it is. >> >> 1. The web creation software (iWeb on a Mac) only supports ftp and sftp >> to upload a site. >> 2. iWeb does not support the use of "versions" for the web pages. By >> that I mean iWeb is strictly one way - create a site and publish it. It >> cannot import an iWeb site, it has to start at the beginning. One can >> create a site and publish it, then edit the site, and publish again, but >> it cannot import or use a previous version of the site as a starting >> point. (I mention this because Eric suggested using git, which sounded >> like a great idea, but alas >> >> I have this setup, but I could use some advice on how to make it more >> secure.... >> >> 1. User account fred >> 2. fred's home is /var/www/domain/fred >> 3. /var/www/domain/fred has owner:group fred:fred >> 4. Document root is /var/www/domain/fred >> >> Thanks, >> >> Mark >> >> On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert > > wrote: >> >> On 12/27/2011 10:46 PM, Mark Phillips wrote: >> >> I need to give a user access to my web server via sftp to upload >> web >> site changes. What is the best way to do this? I have several other >> sites on the same server, so I want to prevent them or anyone >> else who >> gains access to their account from being able to make changes to >> those >> sites or other parts of the server. >> >> Thanks, >> >> Mark >> >> >> I use vsftp, which can be configured to allow users access only to >> their web site's tree. sftp might be able to do the same. >> >> Then, create their user such that their home directory is their web >> site's directory, and they cannot log in to the system (only vsftp) >> with an /etc/passwd entry like this: >> vsftpuser:x:511:511::/var/__**vhosts/domain.com/docs:/sbin/_**_nologin >> >> > >> >> >> Files in their web site are owned by their user, with read >> permissions for 'other' (o+r), which allows apache (or nginx) to >> read them. >> >> -- >> -Eric 'shubes' >> >> >> ------------------------------**__--------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.plug.__phoe**nix.az.us >> >> > >> >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.PLUG.phoenix.az._**_us/mailman/listinfo/plug-__**discuss >> >> > >> >> >> > > -- > -Eric 'shubes' > > ------------------------------**--------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.**phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss > -- --- Ben python -c "exec(\"import math\\nprint ''.join(map(lambda x: chr(x), ( (ord('a')-(3*5)), int(math.sqrt(math.pi*76)*5+2), int(math.ceil(math.e)*28), int(math.floor(math.e)*35), long(abs(4%3*35+3)*2))))\")"**