Oops. Sorry Mark. I forgot that you said sftp, which is part of OpenSSH. I'm using vsftp, which does not require a login shell. Probably why it's considered "very secure". ;) I expect that if vsftp is in a debian repo, you could use that instead of sftp. vsftpd is stock in the RHEL repos. On 12/29/2011 08:04 AM, Mark Phillips wrote: > Eric, > > The Debian equivalent to /sbin/nologin appears to be /bin/false. When I > tried that, I could not sftp or ssh or gain access to the machine in > anyway. I am not sure if there is another Debian shell that allows sftp > but not ssh. > > Thanks! > > Mark > > On Wed, Dec 28, 2011 at 9:54 PM, Eric Shubert > wrote: > > That should be ok. > > Be sure you have your ftp server configured such that they cannot > access folders above/across their home folder. File permissions may > handle this, but probably will not (many things are world readable). > > Also, be sure that they cannot login to a command prompt by setting > their login shell to /sbin/nologin (might vary with distro). This is > commonly done for service accounts (apache, etc). > > > On 12/28/2011 03:38 PM, Mark Phillips wrote: > > Thanks to everyone for their suggestions. Based on some constraints, > your advice, some googling, I arrived at this set-up, but I am > not sure > how secure it is. > > 1. The web creation software (iWeb on a Mac) only supports ftp > and sftp > to upload a site. > 2. iWeb does not support the use of "versions" for the web pages. By > that I mean iWeb is strictly one way - create a site and publish > it. It > cannot import an iWeb site, it has to start at the beginning. > One can > create a site and publish it, then edit the site, and publish > again, but > it cannot import or use a previous version of the site as a starting > point. (I mention this because Eric suggested using git, which > sounded > like a great idea, but alas > > I have this setup, but I could use some advice on how to make it > more > secure.... > > 1. User account fred > 2. fred's home is /var/www/domain/fred > 3. /var/www/domain/fred has owner:group fred:fred > 4. Document root is /var/www/domain/fred > > Thanks, > > Mark > > On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert > >> wrote: > > On 12/27/2011 10:46 PM, Mark Phillips wrote: > > I need to give a user access to my web server via sftp > to upload web > site changes. What is the best way to do this? I have > several other > sites on the same server, so I want to prevent them or > anyone > else who > gains access to their account from being able to make > changes to > those > sites or other parts of the server. > > Thanks, > > Mark > > > I use vsftp, which can be configured to allow users access > only to > their web site's tree. sftp might be able to do the same. > > Then, create their user such that their home directory is > their web > site's directory, and they cannot log in to the system (only > vsftp) > with an /etc/passwd entry like this: > > vsftpuser:x:511:511::/var/____vhosts/domain.com/docs:/sbin/____nologin > > > > > Files in their web site are owned by their user, with read > permissions for 'other' (o+r), which allows apache (or nginx) to > read them. > > -- > -Eric 'shubes' > > > ------------------------------____--------------------- > PLUG-discuss mailing list - > PLUG-discuss@lists.plug.__phoe__nix.az.us > > > > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.____us/mailman/listinfo/plug-____discuss > > > > > > > -- > -Eric 'shubes' > > ------------------------------__--------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.__phoenix.az.us > > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.__us/mailman/listinfo/plug-__discuss > > > -- -Eric 'shubes' --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss