In the remote box:
create a user not member to any group that has a shell and don't assign a
password, but configure ~/.ssh/authorized_keys2 to login remotely.
chown -R www-data.${MY_NEW_USER} /PATH/TO/FILES/I/WANT/TO/EDIT/
find /PATH/TO/FILES/I/WANT/TO/EDIT/ -type d -exec chmod 770 "{}" \;
find /PATH/TO/FILES/I/WANT/TO/EDIT/ -type f -exec chmod 440 "{}" \;
You could also configure www-data with ssh-keys and add/remove a shell in a
blink.
You'll need to ssh as root, which either is not allowed by
/etc/ssh/sshd_config (and you want it like that) or doesn't have a password
(which you also want it like that)
The solution again is ssh keys and configure /etc/ssh/sshd_config with:
PermitRootLogin without-password
Now you can:
ssh root@remotebox 'usermod -s/bin/rbash www-data'
sftp as www-data and, immediately after log in (sftp will keep working)
ssh root@localhost 'usermod -s/bin/false www-data'
Free advice, can't sue me... :)
ET
techlists@phpcoderusa.com writes:
> Hi,
>
> I am running Ubuntu 16.04 on a test server. I'd like to understand
> ownership for virtual hosts. I assume www-data:www-data so the files
> can be edited by PHP such as WordPress being able to upload or upgrade
> themes and plugins. Is this correct?
>
> I would also like to do some remote editing using SFTP. Some say to add
> a password and shell to www-data so the editor can connect as www-data.
> This seems like a security issue.
>
> The other solution i;m seeing is to make the owner:group $USER:$USER -
> which makes the files owned by the SFTP user which seems not secure and
> I'm figuring WordPress will not be able to edit it's own files.
>
> What is the appropriate way?
>
> Thanks in advance.
>
> Keith
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
(text/plain)