it...only sftp or ftp. The program is iWeb on the mac.
> Oops. Sorry Mark. I forgot that you said sftp, which is part of OpenSSH.
> I'm using vsftp, which does not require a login shell. Probably why it's
> considered "very secure". ;) I expect that if vsftp is in a debian repo,
> you could use that instead of sftp. vsftpd is stock in the RHEL repos.
>
>
> On 12/29/2011 08:04 AM, Mark Phillips wrote:
>
>> Eric,
>>
>> The Debian equivalent to /sbin/nologin appears to be /bin/false. When I
>> tried that, I could not sftp or ssh or gain access to the machine in
>> anyway. I am not sure if there is another Debian shell that allows sftp
>> but not ssh.
>>
>> Thanks!
>>
>> Mark
>>
>> On Wed, Dec 28, 2011 at 9:54 PM, Eric Shubert <ejs@shubes.net
>> <mailto:ejs@shubes.net>> wrote:
>>
>> That should be ok.
>>
>> Be sure you have your ftp server configured such that they cannot
>> access folders above/across their home folder. File permissions may
>> handle this, but probably will not (many things are world readable).
>>
>> Also, be sure that they cannot login to a command prompt by setting
>> their login shell to /sbin/nologin (might vary with distro). This is
>> commonly done for service accounts (apache, etc).
>>
>>
>> On 12/28/2011 03:38 PM, Mark Phillips wrote:
>>
>> Thanks to everyone for their suggestions. Based on some
>> constraints,
>> your advice, some googling, I arrived at this set-up, but I am
>> not sure
>> how secure it is.
>>
>> 1. The web creation software (iWeb on a Mac) only supports ftp
>> and sftp
>> to upload a site.
>> 2. iWeb does not support the use of "versions" for the web pages.
>> By
>> that I mean iWeb is strictly one way - create a site and publish
>> it. It
>> cannot import an iWeb site, it has to start at the beginning.
>> One can
>> create a site and publish it, then edit the site, and publish
>> again, but
>> it cannot import or use a previous version of the site as a
>> starting
>> point. (I mention this because Eric suggested using git, which
>> sounded
>> like a great idea, but alas
>>
>> I have this setup, but I could use some advice on how to make it
>> more
>> secure....
>>
>> 1. User account fred
>> 2. fred's home is /var/www/domain/fred
>> 3. /var/www/domain/fred has owner:group fred:fred
>> 4. Document root is /var/www/domain/fred
>>
>> Thanks,
>>
>> Mark
>>
>> On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert <ejs@shubes.net
>> <mailto:ejs@shubes.net>
>> <mailto:ejs@shubes.net <mailto:ejs@shubes.net>>> wrote:
>>
>> On 12/27/2011 10:46 PM, Mark Phillips wrote:
>>
>> I need to give a user access to my web server via sftp
>> to upload web
>> site changes. What is the best way to do this? I have
>> several other
>> sites on the same server, so I want to prevent them or
>> anyone
>> else who
>> gains access to their account from being able to make
>> changes to
>> those
>> sites or other parts of the server.
>>
>> Thanks,
>>
>> Mark
>>
>>
>> I use vsftp, which can be configured to allow users access
>> only to
>> their web site's tree. sftp might be able to do the same.
>>
>> Then, create their user such that their home directory is
>> their web
>> site's directory, and they cannot log in to the system (only
>> vsftp)
>> with an /etc/passwd entry like this:
>>
>> vsftpuser:x:511:511::/var/____**vhosts/domain.com/docs:/sbin/_**
>> ___nologin <http://domain.com/docs:/sbin/____nologin> <
>> http://domain.com/docs:/sbin/**__nologin<http://domain.com/docs:/sbin/__nologin>
>> >
>> <http://domain.com/docs:/sbin/**__nologin<http://domain.com/docs:/sbin/__nologin>
>>
>> <http://domain.com/docs:/sbin/**nologin<http://domain.com/docs:/sbin/nologin>
>> >>
>>
>>
>> Files in their web site are owned by their user, with read
>> permissions for 'other' (o+r), which allows apache (or nginx)
>> to
>> read them.
>>
>> --
>> -Eric 'shubes'
>>
>>
>> ------------------------------**____---------------------
>> PLUG-discuss mailing list -
>> PLUG-discuss@lists.plug.__phoe**__nix.az.us<http://phoe__nix.az.us><
>> http://phoenix.az.us>
>> <mailto:PLUG-discuss@lists.__p**lug.phoenix.az.us<http://plug.phoenix.az.us>
>>
>> <mailto:PLUG-discuss@lists.**plug.phoenix.az.us<PLUG-discuss@lists.plug.phoenix.az.us>
>> >>
>>
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az._**___us/mailman/listinfo/plug-__**
>> __discuss
>>
>> <http://lists.PLUG.phoenix.az.**__us/mailman/listinfo/plug-__**
>> discuss
>> <http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
>> >>
>>
>>
>>
>>
>> --
>> -Eric 'shubes'
>>
>> ------------------------------**__---------------------
>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.__phoe**nix.az.us<http://phoenix.az.us>
>> <mailto:PLUG-discuss@lists.**plug.phoenix.az.us<PLUG-discuss@lists.plug.phoenix.az.us>
>> >
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az._**_us/mailman/listinfo/plug-__**discuss
>> <http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
>> >
>>
>>
>>
>
> --
> -Eric 'shubes'
>
> ------------------------------**---------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.**phoenix.az.us<PLUG-discuss@lists.plug.phoenix.az.us>
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
>
(text/plain)