Re: How to Restrict a User's Access Using SFTP?

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: azlobo73
Date:  
To: Main PLUG discussion list
Subject: Re: How to Restrict a User's Access Using SFTP?
If you can either relocate the vhost or the user home directory, then this
might be of some help, which explains using built-in chroot functionality
with sftp access to restrict access and visibility:
http://www.debian-administration.org/articles/590

Ben

On Wed, Dec 28, 2011 at 9:54 PM, Eric Shubert <> wrote:

> That should be ok.
>
> Be sure you have your ftp server configured such that they cannot access
> folders above/across their home folder. File permissions may handle this,
> but probably will not (many things are world readable).
>
> Also, be sure that they cannot login to a command prompt by setting their
> login shell to /sbin/nologin (might vary with distro). This is commonly
> done for service accounts (apache, etc).
>
>
> On 12/28/2011 03:38 PM, Mark Phillips wrote:
>
>> Thanks to everyone for their suggestions. Based on some constraints,
>> your advice, some googling, I arrived at this set-up, but I am not sure
>> how secure it is.
>>
>> 1. The web creation software (iWeb on a Mac) only supports ftp and sftp
>> to upload a site.
>> 2. iWeb does not support the use of "versions" for the web pages. By
>> that I mean iWeb is strictly one way - create a site and publish it. It
>> cannot import an iWeb site, it has to start at the beginning. One can
>> create a site and publish it, then edit the site, and publish again, but
>> it cannot import or use a previous version of the site as a starting
>> point. (I mention this because Eric suggested using git, which sounded
>> like a great idea, but alas
>>
>> I have this setup, but I could use some advice on how to make it more
>> secure....
>>
>> 1. User account fred
>> 2. fred's home is /var/www/domain/fred
>> 3. /var/www/domain/fred has owner:group fred:fred
>> 4. Document root is /var/www/domain/fred
>>
>> Thanks,
>>
>> Mark
>>
>> On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert <
>> <mailto:ejs@shubes.net>> wrote:
>>
>>    On 12/27/2011 10:46 PM, Mark Phillips wrote:

>>
>>        I need to give a user access to my web server via sftp to upload
>> web
>>        site changes. What is the best way to do this? I have several other
>>        sites on the same server, so I want to prevent them or anyone
>>        else who
>>        gains access to their account from being able to make changes to
>>        those
>>        sites or other parts of the server.

>>
>>        Thanks,

>>
>>        Mark

>>
>>
>>    I use vsftp, which can be configured to allow users access only to
>>    their web site's tree. sftp might be able to do the same.

>>
>>    Then, create their user such that their home directory is their web
>>    site's directory, and they cannot log in to the system (only vsftp)
>>    with an /etc/passwd entry like this:
>>    vsftpuser:x:511:511::/var/__**vhosts/domain.com/docs:/sbin/_**_nologin<http://domain.com/docs:/sbin/__nologin>
>>    <http://domain.com/docs:/sbin/**nologin<http://domain.com/docs:/sbin/nologin>

>> >
>>
>>
>>    Files in their web site are owned by their user, with read
>>    permissions for 'other' (o+r), which allows apache (or nginx) to
>>    read them.

>>
>>    --
>>    -Eric 'shubes'

>>
>>
>>    ------------------------------**__---------------------
>>    PLUG-discuss mailing list - .__phoe**nix.az.us<http://phoenix.az.us>
>>    <mailto:PLUG-discuss@lists.**plug.phoenix.az.us<>

>> >
>>
>>    To subscribe, unsubscribe, or to change your mail settings:
>>    http://lists.PLUG.phoenix.az._**_us/mailman/listinfo/plug-__**discuss
>>    <http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>

>> >
>>
>>
>>
>
> --
> -Eric 'shubes'
>
> ------------------------------**---------------------
> PLUG-discuss mailing list - .**phoenix.az.us<>
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
>




--
---
Ben

python -c "exec(\"import math\\nprint ''.join(map(lambda x: chr(x), (
(ord('a')-(3*5)), int(math.sqrt(math.pi*76)*5+2),
int(math.ceil(math.e)*28), int(math.floor(math.e)*35),
long(abs(4%3*35+3)*2))))\")"**
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss