Sorry - built-in OpenSSH chroot functionalityOn Thu, Dec 29, 2011 at 12:36 AM, azlobo73 <azlobo73@gmail.com> wrote:
If you can either relocate the vhost or the user home directory, then this might be of some help, which explains using built-in chroot functionality with sftp access to restrict access and visibility: http://www.debian-administration.org/articles/590
Ben--On Wed, Dec 28, 2011 at 9:54 PM, Eric Shubert <ejs@shubes.net> wrote:
That should be ok.
Be sure you have your ftp server configured such that they cannot access folders above/across their home folder. File permissions may handle this, but probably will not (many things are world readable).
Also, be sure that they cannot login to a command prompt by setting their login shell to /sbin/nologin (might vary with distro). This is commonly done for service accounts (apache, etc).
On 12/28/2011 03:38 PM, Mark Phillips wrote:
Thanks to everyone for their suggestions. Based on some constraints,
your advice, some googling, I arrived at this set-up, but I am not sure
how secure it is.
1. The web creation software (iWeb on a Mac) only supports ftp and sftp
to upload a site.
2. iWeb does not support the use of "versions" for the web pages. By
that I mean iWeb is strictly one way - create a site and publish it. It
cannot import an iWeb site, it has to start at the beginning. One can
create a site and publish it, then edit the site, and publish again, but
it cannot import or use a previous version of the site as a starting
point. (I mention this because Eric suggested using git, which sounded
like a great idea, but alas
I have this setup, but I could use some advice on how to make it more
secure....
1. User account fred
2. fred's home is /var/www/domain/fred
3. /var/www/domain/fred has owner:group fred:fred
4. Document root is /var/www/domain/fred
Thanks,
Mark
On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert <ejs@shubes.net<mailto:ejs@shubes.net>> wrote:vsftpuser:x:511:511::/var/__vhosts/domain.com/docs:/sbin/__nologin
On 12/27/2011 10:46 PM, Mark Phillips wrote:
I need to give a user access to my web server via sftp to upload web
site changes. What is the best way to do this? I have several other
sites on the same server, so I want to prevent them or anyone
else who
gains access to their account from being able to make changes to
those
sites or other parts of the server.
Thanks,
Mark
I use vsftp, which can be configured to allow users access only to
their web site's tree. sftp might be able to do the same.
Then, create their user such that their home directory is their web
site's directory, and they cannot log in to the system (only vsftp)
with an /etc/passwd entry like this:
<http://domain.com/docs:/sbin/nologin>------------------------------__---------------------
Files in their web site are owned by their user, with read
permissions for 'other' (o+r), which allows apache (or nginx) to
read them.
--
-Eric 'shubes'
PLUG-discuss mailing list - PLUG-discuss@lists.plug.__phoenix.az.us
<mailto:PLUG-discuss@lists.plug.phoenix.az.us>http://lists.PLUG.phoenix.az.__us/mailman/listinfo/plug-__discuss
To subscribe, unsubscribe, or to change your mail settings:
<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
--
-Eric 'shubes'
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
---
Ben
python -c "exec(\"import math\\nprint ''.join(map(lambda x: chr(x), ( (ord('a')-(3*5)), int(math.sqrt(math.pi*76)*5+2), int(math.ceil(math.e)*28), int(math.floor(math.e)*35), long(abs(4%3*35+3)*2))))\")"
--
---
Ben
python -c "exec(\"import math\\nprint ''.join(map(lambda x: chr(x), ( (ord('a')-(3*5)), int(math.sqrt(math.pi*76)*5+2), int(math.ceil(math.e)*28), int(math.floor(math.e)*35), long(abs(4%3*35+3)*2))))\")"
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss