I think a lot of this could be made a lot easier with Ansible and Jinja
templates.

--
Thanks,
Alexander

Sent from my Google Pixel 7 Pro

On Tue, Oct 22, 2024, 13:39 Keith Smith via PLUG-discuss <
plug-discuss@lists.phxlinux.org> wrote:

> Thank You Everyone!!
>
> Seems the problem was I needed to uncomment "PasswordAuthentication
> yes". When creating a user with SSH ability.
>
> Keith
>
>
>
> On 2024-10-22 10:46, Rusty Carruth via PLUG-discuss wrote:
> > ChatGPT gave a more complete answer than I do below (the question was:
> > This person is using vhost, and thinks he wants to chroot to the
> > docroot of the vhost when the user logs in. What do you think of that?)
> >
> > (I never thought I'd be pointing people to an AI for answers! ;-)
> >
> >
> > On 10/22/24 10:42, Rusty Carruth via PLUG-discuss wrote:
> >> One thing I don't understand, below.
> >>
> >> On 10/22/24 10:25, Keith Smith via PLUG-discuss wrote:
> >>> Hi,
> >>>
> >>> I appreciate all the feedback.  There is more to the story.
> >>>
> >>> ....
> >>>
> >>> The 3 things I think I need to accomplish:
> >>>
> >>> 1) Add a user and configure it to use SSH.
> >>> 2) Configure each vhost to use PHP-FPM.
> >>> 3) Limit the User to the docroot of it's virtual host.
> >>> (ChrootDirectory)
> >>>
> >> I don't understand # 3.  Let me say what I think you said:  you have
> >> (some number of) virtual machines.  Or do you mean that thing that
> >> allows you to run more than one web address from the same IP address?
> >> In either case, why do you need to chroot to docroot? You do realize
> >> that docroot must then have EVERYTHING the user needs - all programs,
> >> all devices, everything.  So you're going to need /dev, /bin,
> >> /usr/bin, and so forth or the user will be dead in the water with no
> >> commands - shoot, not even bash will be there to try to type commands!
> >>
> >> If you're doing the chroot already, and its failing, then that's
> >> probably because bash isn't there, nor is anything else you need...
> >>
> >>> I am using a clone of the LAMP server so I am going to remove it and
> >>> create another close and start by trying to create a use that has SSH
> >>> access and a home directory.
> >>>
> >> If you are using virtual machines, just clone it in the virtual
> >> machine - but then, I'm thinking you don't mean virtual machine, you
> >> mean that other thing :-)
> >>> Then I think I should work on limiting that user to the vhost that is
> >>> designated to work with.
> >>>
> >>>
> >> So, if you mean not virtual machine but that other thing, then you're
> >> either going to have to copy all the stuff I talk about above in to
> >> the docroot tree (which I still think will cause more problems than it
> >> will fix), or mount the stuff above inside the docroot, or figure out
> >> how to change permissions and ownership so that the user can only
> >> change the stuff in their docroot.  Perhaps group ownership can save
> >> the day here, assuming you want ALL files in ALL web servers to be
> >> owned by whoever is running Apache, then create 2 or more groups,
> >> change all group ownership to the NON-User group, then
> >>
> >> change group ownership of all files in your docroot to the group of
> >> the user (obviously you're going to have to change the user to have
> >> that group too), then change permissions to something like 770 for all
> >> directories everywhere (or 775, or whatever) and 660 for all files.
> >> Done, supposedly ;-)
> >>
> >>>
> >>> Then finish up by installing configuring the vhost to use PHP-FPM.
> >>>
> >>> Any thought are much appreciated!!
> >>>
> >>> Keith
> >>>
> >>>
> >> ---------------------------------------------------
> >> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
> >> To subscribe, unsubscribe, or to change your mail settings:
> >> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> > ---------------------------------------------------
> > PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
> > To subscribe, unsubscribe, or to change your mail settings:
> > https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> ---------------------------------------------------
> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>