Eric,

vsftp is in the Debian repositories, but the developer's tool does not use it...only sftp or ftp. The program is iWeb on the mac.

However, the article http://www.debian-administration.org/articles/590 did the trick for me!

Mark

On Thu, Dec 29, 2011 at 12:20 PM, Eric Shubert <ejs@shubes.net> wrote:
Oops. Sorry Mark. I forgot that you said sftp, which is part of OpenSSH. I'm using vsftp, which does not require a login shell. Probably why it's considered "very secure". ;) I expect that if vsftp is in a debian repo, you could use that instead of sftp. vsftpd is stock in the RHEL repos.


On 12/29/2011 08:04 AM, Mark Phillips wrote:
Eric,

The Debian equivalent to /sbin/nologin appears to be /bin/false. When I
tried that, I could not sftp or ssh or gain access to the machine in
anyway. I am not sure if there is another Debian shell that allows sftp
but not ssh.

Thanks!

Mark

On Wed, Dec 28, 2011 at 9:54 PM, Eric Shubert <ejs@shubes.net
<mailto:ejs@shubes.net>> wrote:

   That should be ok.

   Be sure you have your ftp server configured such that they cannot
   access folders above/across their home folder. File permissions may
   handle this, but probably will not (many things are world readable).

   Also, be sure that they cannot login to a command prompt by setting
   their login shell to /sbin/nologin (might vary with distro). This is
   commonly done for service accounts (apache, etc).


   On 12/28/2011 03:38 PM, Mark Phillips wrote:

       Thanks to everyone for their suggestions. Based on some constraints,
       your advice, some googling, I arrived at this set-up, but I am
       not sure
       how secure it is.

       1. The web creation software (iWeb on a Mac) only supports ftp
       and sftp
       to upload a site.
       2. iWeb does not support the use of "versions" for the web pages. By
       that I mean iWeb is strictly one way - create a site and publish
       it. It
       cannot import an iWeb site, it has to start at the beginning.
       One can
       create a site and publish it, then edit the site, and publish
       again, but
       it cannot import or use a previous version of the site as a starting
       point. (I mention this because Eric suggested using git, which
       sounded
       like a great idea, but alas

       I have this setup, but I could use some advice on how to make it
       more
       secure....

       1. User account fred
       2. fred's home is /var/www/domain/fred
       3. /var/www/domain/fred has owner:group fred:fred
       4. Document root is /var/www/domain/fred

       Thanks,

       Mark

       On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert <ejs@shubes.net
       <mailto:ejs@shubes.net>
       <mailto:ejs@shubes.net <mailto:ejs@shubes.net>>> wrote:

           On 12/27/2011 10:46 PM, Mark Phillips wrote:

               I need to give a user access to my web server via sftp
       to upload web
               site changes. What is the best way to do this? I have
       several other
               sites on the same server, so I want to prevent them or
       anyone
               else who
               gains access to their account from being able to make
       changes to
               those
               sites or other parts of the server.

               Thanks,

               Mark


           I use vsftp, which can be configured to allow users access
       only to
           their web site's tree. sftp might be able to do the same.

           Then, create their user such that their home directory is
       their web
           site's directory, and they cannot log in to the system (only
       vsftp)
           with an /etc/passwd entry like this:

         vsftpuser:x:511:511::/var/____vhosts/domain.com/docs:/sbin/____nologin <http://domain.com/docs:/sbin/__nologin>
       <http://domain.com/docs:/sbin/__nologin

       <http://domain.com/docs:/sbin/nologin>>


           Files in their web site are owned by their user, with read
           permissions for 'other' (o+r), which allows apache (or nginx) to
           read them.

           --
           -Eric 'shubes'


           ------------------------------____---------------------
           PLUG-discuss mailing list -
       PLUG-discuss@lists.plug.__phoe__nix.az.us <http://phoenix.az.us>
       <mailto:PLUG-discuss@lists.__plug.phoenix.az.us

       <mailto:PLUG-discuss@lists.plug.phoenix.az.us>>

           To subscribe, unsubscribe, or to change your mail settings:
       http://lists.PLUG.phoenix.az.____us/mailman/listinfo/plug-____discuss

       <http://lists.PLUG.phoenix.az.__us/mailman/listinfo/plug-__discuss
       <http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>>




   --
   -Eric 'shubes'

   ------------------------------__---------------------
   PLUG-discuss mailing list - PLUG-discuss@lists.plug.__phoenix.az.us
   <mailto:PLUG-discuss@lists.plug.phoenix.az.us>
   To subscribe, unsubscribe, or to change your mail settings:
   http://lists.PLUG.phoenix.az.__us/mailman/listinfo/plug-__discuss
   <http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>




--
-Eric 'shubes'

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss