Re: How to Restrict a User's Access Using SFTP?

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Eric Shubert
Date:  
To: plug-discuss
Subject: Re: How to Restrict a User's Access Using SFTP?
vsftpd supports all the same (standard) protocols, and will work with
anything that uses ftp or sftp.

On 12/29/2011 07:46 PM, Mark Phillips wrote:
> Eric,
>
> vsftp is in the Debian repositories, but the developer's tool does not
> use it...only sftp or ftp. The program is iWeb on the mac.
>
> However, the article
> http://www.debian-administration.org/articles/590 did the trick for me!
>
> Mark
>
> On Thu, Dec 29, 2011 at 12:20 PM, Eric Shubert <
> <mailto:ejs@shubes.net>> wrote:
>
>     Oops. Sorry Mark. I forgot that you said sftp, which is part of
>     OpenSSH. I'm using vsftp, which does not require a login shell.
>     Probably why it's considered "very secure". ;) I expect that if
>     vsftp is in a debian repo, you could use that instead of sftp.
>     vsftpd is stock in the RHEL repos.

>
>
>     On 12/29/2011 08:04 AM, Mark Phillips wrote:

>
>         Eric,

>
>         The Debian equivalent to /sbin/nologin appears to be /bin/false.
>         When I
>         tried that, I could not sftp or ssh or gain access to the machine in
>         anyway. I am not sure if there is another Debian shell that
>         allows sftp
>         but not ssh.

>
>         Thanks!

>
>         Mark

>
>         On Wed, Dec 28, 2011 at 9:54 PM, Eric Shubert <
>         <mailto:ejs@shubes.net>
>         <mailto:ejs@shubes.net <mailto:ejs@shubes.net>>> wrote:

>
>             That should be ok.

>
>             Be sure you have your ftp server configured such that they
>         cannot
>             access folders above/across their home folder. File
>         permissions may
>             handle this, but probably will not (many things are world
>         readable).

>
>             Also, be sure that they cannot login to a command prompt by
>         setting
>             their login shell to /sbin/nologin (might vary with distro).
>         This is
>             commonly done for service accounts (apache, etc).

>
>
>             On 12/28/2011 03:38 PM, Mark Phillips wrote:

>
>                 Thanks to everyone for their suggestions. Based on some
>         constraints,
>                 your advice, some googling, I arrived at this set-up,
>         but I am
>                 not sure
>                 how secure it is.

>
>                 1. The web creation software (iWeb on a Mac) only
>         supports ftp
>                 and sftp
>                 to upload a site.
>                 2. iWeb does not support the use of "versions" for the
>         web pages. By
>                 that I mean iWeb is strictly one way - create a site and
>         publish
>                 it. It
>                 cannot import an iWeb site, it has to start at the
>         beginning.
>                 One can
>                 create a site and publish it, then edit the site, and
>         publish
>                 again, but
>                 it cannot import or use a previous version of the site
>         as a starting
>                 point. (I mention this because Eric suggested using git,
>         which
>                 sounded
>                 like a great idea, but alas

>
>                 I have this setup, but I could use some advice on how to
>         make it
>                 more
>                 secure....

>
>                 1. User account fred
>                 2. fred's home is /var/www/domain/fred
>                 3. /var/www/domain/fred has owner:group fred:fred
>                 4. Document root is /var/www/domain/fred

>
>                 Thanks,

>
>                 Mark

>
>                 On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert
>         < <mailto:ejs@shubes.net>
>         <mailto:ejs@shubes.net <mailto:ejs@shubes.net>>
>         <mailto:ejs@shubes.net <mailto:ejs@shubes.net>
>         <mailto:ejs@shubes.net <mailto:ejs@shubes.net>>>> wrote:

>
>                     On 12/27/2011 10:46 PM, Mark Phillips wrote:

>
>                         I need to give a user access to my web server
>         via sftp
>                 to upload web
>                         site changes. What is the best way to do this? I
>         have
>                 several other
>                         sites on the same server, so I want to prevent
>         them or
>                 anyone
>                         else who
>                         gains access to their account from being able to
>         make
>                 changes to
>                         those
>                         sites or other parts of the server.

>
>                         Thanks,

>
>                         Mark

>
>
>                     I use vsftp, which can be configured to allow users
>         access
>                 only to
>                     their web site's tree. sftp might be able to do the
>         same.

>
>                     Then, create their user such that their home
>         directory is
>                 their web
>                     site's directory, and they cannot log in to the
>         system (only
>                 vsftp)
>                     with an /etc/passwd entry like this:

>
>
>           vsftpuser:x:511:511::/var/______vhosts/domain.com/docs:/sbin/______nologin <http://domain.com/docs:/sbin/____nologin> <http://domain.com/docs:/sbin/____nologin <http://domain.com/docs:/sbin/__nologin>>
>         <http://domain.com/docs:/sbin/____nologin
>         <http://domain.com/docs:/sbin/__nologin>

>
>         <http://domain.com/docs:/sbin/__nologin
>         <http://domain.com/docs:/sbin/nologin>>>

>
>
>                     Files in their web site are owned by their user,
>         with read
>                     permissions for 'other' (o+r), which allows apache
>         (or nginx) to
>                     read them.

>
>                     --
>                     -Eric 'shubes'

>
>
>
>           ------------------------------______---------------------
>                     PLUG-discuss mailing list -
>                 .__phoe____nix.az.us
>         <http://phoe__nix.az.us> <http://phoenix.az.us>
>         <mailto:PLUG-discuss@lists.
>         <mailto:PLUG-discuss@lists.>__p__lug.phoenix.az.us
>         <http://plug.phoenix.az.us>

>
>         <mailto:PLUG-discuss@lists.__plug.phoenix.az.us
>         <mailto:PLUG-discuss@lists.plug.phoenix.az.us>>>

>
>                     To subscribe, unsubscribe, or to change your mail
>         settings:
>         http://lists.PLUG.phoenix.az.______us/mailman/listinfo/plug-______discuss

>
>         <http://lists.PLUG.phoenix.az.____us/mailman/listinfo/plug-____discuss
>         <http://lists.PLUG.phoenix.az.__us/mailman/listinfo/plug-__discuss
>         <http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>>>

>
>
>
>
>             --
>             -Eric 'shubes'

>
>             ------------------------------____---------------------
>             PLUG-discuss mailing list -
>         .__phoe__nix.az.us <http://phoenix.az.us>
>         <mailto:PLUG-discuss@lists.__plug.phoenix.az.us
>         <mailto:PLUG-discuss@lists.plug.phoenix.az.us>>
>             To subscribe, unsubscribe, or to change your mail settings:
>         http://lists.PLUG.phoenix.az.____us/mailman/listinfo/plug-____discuss
>         <http://lists.PLUG.phoenix.az.__us/mailman/listinfo/plug-__discuss
>         <http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>>

>
>
>
>
>     --
>     -Eric 'shubes'

>
>     ------------------------------__---------------------
>     PLUG-discuss mailing list - .__phoenix.az.us
>     <mailto:PLUG-discuss@lists.plug.phoenix.az.us>
>     To subscribe, unsubscribe, or to change your mail settings:
>     http://lists.PLUG.phoenix.az.__us/mailman/listinfo/plug-__discuss
>     <http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>

>
>



--
-Eric 'shubes'

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss