Unable to SSH into Server

Rusty Carruth rustycar54 at descomp.com
Tue Oct 22 10:42:35 MST 2024 

One thing I don't understand, below.

On 10/22/24 10:25, Keith Smith via PLUG-discuss wrote:
> Hi,
>
> I appreciate all the feedback.  There is more to the story.
>
> ....
>
> The 3 things I think I need to accomplish:
>
> 1) Add a user and configure it to use SSH.
> 2) Configure each vhost to use PHP-FPM.
> 3) Limit the User to the docroot of it's virtual host. (ChrootDirectory)
>
I don't understand # 3.  Let me say what I think you said:  you have 
(some number of) virtual machines.  Or do you mean that thing that 
allows you to run more than one web address from the same IP address?  
In either case, why do you need to chroot to docroot? You do realize 
that docroot must then have EVERYTHING the user needs - all programs, 
all devices, everything.  So you're going to need /dev, /bin, /usr/bin, 
and so forth or the user will be dead in the water with no commands - 
shoot, not even bash will be there to try to type commands!

If you're doing the chroot already, and its failing, then that's 
probably because bash isn't there, nor is anything else you need...

> I am using a clone of the LAMP server so I am going to remove it and 
> create another close and start by trying to create a use that has SSH 
> access and a home directory.
>
If you are using virtual machines, just clone it in the virtual machine 
- but then, I'm thinking you don't mean virtual machine, you mean that 
other thing :-)
> Then I think I should work on limiting that user to the vhost that is 
> designated to work with.
>
>
So, if you mean not virtual machine but that other thing, then you're 
either going to have to copy all the stuff I talk about above in to the 
docroot tree (which I still think will cause more problems than it will 
fix), or mount the stuff above inside the docroot, or figure out how to 
change permissions and ownership so that the user can only change the 
stuff in their docroot.  Perhaps group ownership can save the day here, 
assuming you want ALL files in ALL web servers to be owned by whoever is 
running Apache, then create 2 or more groups, change all group ownership 
to the NON-User group, then

change group ownership of all files in your docroot to the group of the 
user (obviously you're going to have to change the user to have that 
group too), then change permissions to something like 770 for all 
directories everywhere (or 775, or whatever) and 660 for all files.  
Done, supposedly ;-)

>
> Then finish up by installing configuring the vhost to use PHP-FPM.
>
> Any thought are much appreciated!!
>
> Keith
>
>

More information about the PLUG-discuss mailing list