How to Restrict a User's Access Using SFTP?

Eric Shubert ejs at shubes.net
Thu Dec 29 12:20:35 MST 2011


Oops. Sorry Mark. I forgot that you said sftp, which is part of OpenSSH. 
I'm using vsftp, which does not require a login shell. Probably why it's 
considered "very secure". ;) I expect that if vsftp is in a debian repo, 
you could use that instead of sftp. vsftpd is stock in the RHEL repos.

On 12/29/2011 08:04 AM, Mark Phillips wrote:
> Eric,
>
> The Debian equivalent to /sbin/nologin appears to be /bin/false. When I
> tried that, I could not sftp or ssh or gain access to the machine in
> anyway. I am not sure if there is another Debian shell that allows sftp
> but not ssh.
>
> Thanks!
>
> Mark
>
> On Wed, Dec 28, 2011 at 9:54 PM, Eric Shubert <ejs at shubes.net
> <mailto:ejs at shubes.net>> wrote:
>
>     That should be ok.
>
>     Be sure you have your ftp server configured such that they cannot
>     access folders above/across their home folder. File permissions may
>     handle this, but probably will not (many things are world readable).
>
>     Also, be sure that they cannot login to a command prompt by setting
>     their login shell to /sbin/nologin (might vary with distro). This is
>     commonly done for service accounts (apache, etc).
>
>
>     On 12/28/2011 03:38 PM, Mark Phillips wrote:
>
>         Thanks to everyone for their suggestions. Based on some constraints,
>         your advice, some googling, I arrived at this set-up, but I am
>         not sure
>         how secure it is.
>
>         1. The web creation software (iWeb on a Mac) only supports ftp
>         and sftp
>         to upload a site.
>         2. iWeb does not support the use of "versions" for the web pages. By
>         that I mean iWeb is strictly one way - create a site and publish
>         it. It
>         cannot import an iWeb site, it has to start at the beginning.
>         One can
>         create a site and publish it, then edit the site, and publish
>         again, but
>         it cannot import or use a previous version of the site as a starting
>         point. (I mention this because Eric suggested using git, which
>         sounded
>         like a great idea, but alas
>
>         I have this setup, but I could use some advice on how to make it
>         more
>         secure....
>
>         1. User account fred
>         2. fred's home is /var/www/domain/fred
>         3. /var/www/domain/fred has owner:group fred:fred
>         4. Document root is /var/www/domain/fred
>
>         Thanks,
>
>         Mark
>
>         On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert <ejs at shubes.net
>         <mailto:ejs at shubes.net>
>         <mailto:ejs at shubes.net <mailto:ejs at shubes.net>>> wrote:
>
>             On 12/27/2011 10:46 PM, Mark Phillips wrote:
>
>                 I need to give a user access to my web server via sftp
>         to upload web
>                 site changes. What is the best way to do this? I have
>         several other
>                 sites on the same server, so I want to prevent them or
>         anyone
>                 else who
>                 gains access to their account from being able to make
>         changes to
>                 those
>                 sites or other parts of the server.
>
>                 Thanks,
>
>                 Mark
>
>
>             I use vsftp, which can be configured to allow users access
>         only to
>             their web site's tree. sftp might be able to do the same.
>
>             Then, create their user such that their home directory is
>         their web
>             site's directory, and they cannot log in to the system (only
>         vsftp)
>             with an /etc/passwd entry like this:
>
>           vsftpuser:x:511:511::/var/____vhosts/domain.com/docs:/sbin/____nologin <http://domain.com/docs:/sbin/__nologin>
>         <http://domain.com/docs:/sbin/__nologin
>         <http://domain.com/docs:/sbin/nologin>>
>
>
>             Files in their web site are owned by their user, with read
>             permissions for 'other' (o+r), which allows apache (or nginx) to
>             read them.
>
>             --
>             -Eric 'shubes'
>
>
>             ------------------------------____---------------------
>             PLUG-discuss mailing list -
>         PLUG-discuss at lists.plug.__phoe__nix.az.us <http://phoenix.az.us>
>         <mailto:PLUG-discuss at lists.__plug.phoenix.az.us
>         <mailto:PLUG-discuss at lists.plug.phoenix.az.us>>
>
>             To subscribe, unsubscribe, or to change your mail settings:
>         http://lists.PLUG.phoenix.az.____us/mailman/listinfo/plug-____discuss
>         <http://lists.PLUG.phoenix.az.__us/mailman/listinfo/plug-__discuss
>         <http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>>
>
>
>
>
>     --
>     -Eric 'shubes'
>
>     ------------------------------__---------------------
>     PLUG-discuss mailing list - PLUG-discuss at lists.plug.__phoenix.az.us
>     <mailto:PLUG-discuss at lists.plug.phoenix.az.us>
>     To subscribe, unsubscribe, or to change your mail settings:
>     http://lists.PLUG.phoenix.az.__us/mailman/listinfo/plug-__discuss
>     <http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
>
>


-- 
-Eric 'shubes'



More information about the PLUG-discuss mailing list