How to Restrict a User's Access Using SFTP?
azlobo73
azlobo73 at gmail.com
Thu Dec 29 11:36:22 MST 2011
Also please note, native chroot is a native option in OpenSSH since v4.9,
so if you are in an environment that isn't running v4.9+ and can't be
upgraded, my original link will not work so well. YMMV.
On Thu, Dec 29, 2011 at 11:32 AM, azlobo73 <azlobo73 at gmail.com> wrote:
> When installed, depending on your distro and packagement manage system's
> post-install process, the psuedo/restricted 'shell' may need to be added to
> the /etc/shells or equivalent file to work as a listed shell for a user in
> /etc/passwd. Another such one is called scponly. One plus with a
> non-shell option is that you don't need to set up the jailed environment
> quite as much as you would with a shell environment (and since lack of
> trust is usually involved, shell access is not usually desirable, but can
> be a necessity depending on what the developer needs to do, etc).
>
> Symlinks might well not work (probably not at all as desired) in the
> chroot jail ("seeing outside" of the jail for the user logged in might mean
> broken symlink in that context, etc). Therefore I'd move the vhost and
> update the DocumentRoot to point in the new place (or move the user's home
> to the vhost - which of these two are more manageable as an admin is the
> question, and might also be impacted up partitioning constraints etc).
> Note too that the user's home directory has to then be readable (at least,
> depending on web app needs) by apache process's user, so this is not a
> 'home' in the usual sense from the point of view of the outer, unjailed
> environment.
>
> Ben
>
>
> On Thu, Dec 29, 2011 at 8:27 AM, Lisa Kachold <lisakachold at obnosis.com>wrote:
>
>> Hi Mark,
>>
>> No, you cannot use a nologin with scp or ssh.
>>
>> There are a few restricted shells, most notably rssh (which is in apt-get
>> for Debian):
>>
>> http://www.cyberciti.biz/tips/howto-linux-unix-rssh-chroot-jail-setup.html
>>
>> http://www.cyberciti.biz/tips/rhel-centos-linux-install-configure-rssh-shell.html
>>
>>
>> On Thu, Dec 29, 2011 at 8:04 AM, Mark Phillips <
>> mark at phillipsmarketing.biz> wrote:
>>
>>> Eric,
>>>
>>> The Debian equivalent to /sbin/nologin appears to be /bin/false. When I
>>> tried that, I could not sftp or ssh or gain access to the machine in
>>> anyway. I am not sure if there is another Debian shell that allows sftp but
>>> not ssh.
>>>
>>> Thanks!
>>>
>>> Mark
>>>
>>> On Wed, Dec 28, 2011 at 9:54 PM, Eric Shubert <ejs at shubes.net> wrote:
>>>
>>>> That should be ok.
>>>>
>>>> Be sure you have your ftp server configured such that they cannot
>>>> access folders above/across their home folder. File permissions may handle
>>>> this, but probably will not (many things are world readable).
>>>>
>>>> Also, be sure that they cannot login to a command prompt by setting
>>>> their login shell to /sbin/nologin (might vary with distro). This is
>>>> commonly done for service accounts (apache, etc).
>>>>
>>>>
>>>> On 12/28/2011 03:38 PM, Mark Phillips wrote:
>>>>
>>>>> Thanks to everyone for their suggestions. Based on some constraints,
>>>>> your advice, some googling, I arrived at this set-up, but I am not sure
>>>>> how secure it is.
>>>>>
>>>>> 1. The web creation software (iWeb on a Mac) only supports ftp and sftp
>>>>> to upload a site.
>>>>> 2. iWeb does not support the use of "versions" for the web pages. By
>>>>> that I mean iWeb is strictly one way - create a site and publish it. It
>>>>> cannot import an iWeb site, it has to start at the beginning. One can
>>>>> create a site and publish it, then edit the site, and publish again,
>>>>> but
>>>>> it cannot import or use a previous version of the site as a starting
>>>>> point. (I mention this because Eric suggested using git, which sounded
>>>>> like a great idea, but alas
>>>>>
>>>>> I have this setup, but I could use some advice on how to make it more
>>>>> secure....
>>>>>
>>>>> 1. User account fred
>>>>> 2. fred's home is /var/www/domain/fred
>>>>> 3. /var/www/domain/fred has owner:group fred:fred
>>>>> 4. Document root is /var/www/domain/fred
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Mark
>>>>>
>>>>> On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert <ejs at shubes.net
>>>>> <mailto:ejs at shubes.net>> wrote:
>>>>>
>>>>> On 12/27/2011 10:46 PM, Mark Phillips wrote:
>>>>>
>>>>> I need to give a user access to my web server via sftp to
>>>>> upload web
>>>>> site changes. What is the best way to do this? I have several
>>>>> other
>>>>> sites on the same server, so I want to prevent them or anyone
>>>>> else who
>>>>> gains access to their account from being able to make changes to
>>>>> those
>>>>> sites or other parts of the server.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Mark
>>>>>
>>>>>
>>>>> I use vsftp, which can be configured to allow users access only to
>>>>> their web site's tree. sftp might be able to do the same.
>>>>>
>>>>> Then, create their user such that their home directory is their web
>>>>> site's directory, and they cannot log in to the system (only vsftp)
>>>>> with an /etc/passwd entry like this:
>>>>> vsftpuser:x:511:511::/var/__**vhosts/domain.com/docs:/sbin/_**
>>>>> _nologin <http://domain.com/docs:/sbin/__nologin>
>>>>> <http://domain.com/docs:/sbin/**nologin<http://domain.com/docs:/sbin/nologin>
>>>>> >
>>>>>
>>>>>
>>>>> Files in their web site are owned by their user, with read
>>>>> permissions for 'other' (o+r), which allows apache (or nginx) to
>>>>> read them.
>>>>>
>>>>> --
>>>>> -Eric 'shubes'
>>>>>
>>>>>
>>>>> ------------------------------**__---------------------
>>>>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.__phoe**
>>>>> nix.az.us <http://phoenix.az.us>
>>>>> <mailto:PLUG-discuss at lists.**plug.phoenix.az.us<PLUG-discuss at lists.plug.phoenix.az.us>
>>>>> >
>>>>>
>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>> http://lists.PLUG.phoenix.az._**_us/mailman/listinfo/plug-__**
>>>>> discuss
>>>>> <http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
>>>>> >
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> -Eric 'shubes'
>>>>
>>>> ------------------------------**---------------------
>>>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.**phoenix.az.us<PLUG-discuss at lists.plug.phoenix.az.us>
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
>>>>
>>>
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>
>>
>>
>>
>> --
>> (602) 791-8002 Android
>> (623) 239-3392 Skype
>> (623) 688-3392 Google Voice
>> **
>> HomeSmartInternational.com
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
>
>
>
--
---
Ben
python -c "exec(\"import math\\nprint ''.join(map(lambda x: chr(x), (
(ord('a')-(3*5)), int(math.sqrt(math.pi*76)*5+2),
int(math.ceil(math.e)*28), int(math.floor(math.e)*35),
long(abs(4%3*35+3)*2))))\")"**
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20111229/aedd37c8/attachment.html>
More information about the PLUG-discuss
mailing list