How to Restrict a User's Access Using SFTP?

Mark Phillips mark at phillipsmarketing.biz
Wed Dec 28 15:38:07 MST 2011


Thanks to everyone for their suggestions. Based on some constraints, your
advice, some googling, I arrived at this set-up, but I am not sure how
secure it is.

1. The web creation software (iWeb on a Mac) only supports ftp and sftp to
upload a site.
2. iWeb does not support the use of "versions" for the web pages. By that I
mean iWeb is strictly one way - create a site and publish it. It cannot
import an iWeb site, it has to start at the beginning. One can create a
site and publish it, then edit the site, and publish again, but it cannot
import or use a previous version of the site as a starting point. (I
mention this because Eric suggested using git, which sounded like a great
idea, but alas

I have this setup, but I could use some advice on how to make it more
secure....

1. User account fred
2. fred's home is /var/www/domain/fred
3. /var/www/domain/fred has owner:group fred:fred
4. Document root is /var/www/domain/fred

Thanks,

Mark

On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert <ejs at shubes.net> wrote:

> On 12/27/2011 10:46 PM, Mark Phillips wrote:
>
>> I need to give a user access to my web server via sftp to upload web
>> site changes. What is the best way to do this? I have several other
>> sites on the same server, so I want to prevent them or anyone else who
>> gains access to their account from being able to make changes to those
>> sites or other parts of the server.
>>
>> Thanks,
>>
>> Mark
>>
>>
> I use vsftp, which can be configured to allow users access only to their
> web site's tree. sftp might be able to do the same.
>
> Then, create their user such that their home directory is their web site's
> directory, and they cannot log in to the system (only vsftp) with an
> /etc/passwd entry like this:
> vsftpuser:x:511:511::/var/**vhosts/domain.com/docs:/sbin/**nologin<http://domain.com/docs:/sbin/nologin>
>
> Files in their web site are owned by their user, with read permissions for
> 'other' (o+r), which allows apache (or nginx) to read them.
>
> --
> -Eric 'shubes'
>
>
> ------------------------------**---------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.**phoenix.az.us<PLUG-discuss at lists.plug.phoenix.az.us>
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20111228/8be147e1/attachment.html>


More information about the PLUG-discuss mailing list