Also please note, native chroot is a native option in OpenSSH since v4.9, so if you are in an environment that isn't running v4.9+ and can't be upgraded, my original link will not work so well. YMMV. On Thu, Dec 29, 2011 at 11:32 AM, azlobo73 wrote: > When installed, depending on your distro and packagement manage system's > post-install process, the psuedo/restricted 'shell' may need to be added to > the /etc/shells or equivalent file to work as a listed shell for a user in > /etc/passwd. Another such one is called scponly. One plus with a > non-shell option is that you don't need to set up the jailed environment > quite as much as you would with a shell environment (and since lack of > trust is usually involved, shell access is not usually desirable, but can > be a necessity depending on what the developer needs to do, etc). > > Symlinks might well not work (probably not at all as desired) in the > chroot jail ("seeing outside" of the jail for the user logged in might mean > broken symlink in that context, etc). Therefore I'd move the vhost and > update the DocumentRoot to point in the new place (or move the user's home > to the vhost - which of these two are more manageable as an admin is the > question, and might also be impacted up partitioning constraints etc). > Note too that the user's home directory has to then be readable (at least, > depending on web app needs) by apache process's user, so this is not a > 'home' in the usual sense from the point of view of the outer, unjailed > environment. > > Ben > > > On Thu, Dec 29, 2011 at 8:27 AM, Lisa Kachold wrote: > >> Hi Mark, >> >> No, you cannot use a nologin with scp or ssh. >> >> There are a few restricted shells, most notably rssh (which is in apt-get >> for Debian): >> >> http://www.cyberciti.biz/tips/howto-linux-unix-rssh-chroot-jail-setup.html >> >> http://www.cyberciti.biz/tips/rhel-centos-linux-install-configure-rssh-shell.html >> >> >> On Thu, Dec 29, 2011 at 8:04 AM, Mark Phillips < >> mark@phillipsmarketing.biz> wrote: >> >>> Eric, >>> >>> The Debian equivalent to /sbin/nologin appears to be /bin/false. When I >>> tried that, I could not sftp or ssh or gain access to the machine in >>> anyway. I am not sure if there is another Debian shell that allows sftp but >>> not ssh. >>> >>> Thanks! >>> >>> Mark >>> >>> On Wed, Dec 28, 2011 at 9:54 PM, Eric Shubert wrote: >>> >>>> That should be ok. >>>> >>>> Be sure you have your ftp server configured such that they cannot >>>> access folders above/across their home folder. File permissions may handle >>>> this, but probably will not (many things are world readable). >>>> >>>> Also, be sure that they cannot login to a command prompt by setting >>>> their login shell to /sbin/nologin (might vary with distro). This is >>>> commonly done for service accounts (apache, etc). >>>> >>>> >>>> On 12/28/2011 03:38 PM, Mark Phillips wrote: >>>> >>>>> Thanks to everyone for their suggestions. Based on some constraints, >>>>> your advice, some googling, I arrived at this set-up, but I am not sure >>>>> how secure it is. >>>>> >>>>> 1. The web creation software (iWeb on a Mac) only supports ftp and sftp >>>>> to upload a site. >>>>> 2. iWeb does not support the use of "versions" for the web pages. By >>>>> that I mean iWeb is strictly one way - create a site and publish it. It >>>>> cannot import an iWeb site, it has to start at the beginning. One can >>>>> create a site and publish it, then edit the site, and publish again, >>>>> but >>>>> it cannot import or use a previous version of the site as a starting >>>>> point. (I mention this because Eric suggested using git, which sounded >>>>> like a great idea, but alas >>>>> >>>>> I have this setup, but I could use some advice on how to make it more >>>>> secure.... >>>>> >>>>> 1. User account fred >>>>> 2. fred's home is /var/www/domain/fred >>>>> 3. /var/www/domain/fred has owner:group fred:fred >>>>> 4. Document root is /var/www/domain/fred >>>>> >>>>> Thanks, >>>>> >>>>> Mark >>>>> >>>>> On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert >>>> > wrote: >>>>> >>>>> On 12/27/2011 10:46 PM, Mark Phillips wrote: >>>>> >>>>> I need to give a user access to my web server via sftp to >>>>> upload web >>>>> site changes. What is the best way to do this? I have several >>>>> other >>>>> sites on the same server, so I want to prevent them or anyone >>>>> else who >>>>> gains access to their account from being able to make changes to >>>>> those >>>>> sites or other parts of the server. >>>>> >>>>> Thanks, >>>>> >>>>> Mark >>>>> >>>>> >>>>> I use vsftp, which can be configured to allow users access only to >>>>> their web site's tree. sftp might be able to do the same. >>>>> >>>>> Then, create their user such that their home directory is their web >>>>> site's directory, and they cannot log in to the system (only vsftp) >>>>> with an /etc/passwd entry like this: >>>>> vsftpuser:x:511:511::/var/__**vhosts/domain.com/docs:/sbin/_** >>>>> _nologin >>>>> >>>>> > >>>>> >>>>> >>>>> Files in their web site are owned by their user, with read >>>>> permissions for 'other' (o+r), which allows apache (or nginx) to >>>>> read them. >>>>> >>>>> -- >>>>> -Eric 'shubes' >>>>> >>>>> >>>>> ------------------------------**__--------------------- >>>>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.__phoe** >>>>> nix.az.us >>>>> >>>>> > >>>>> >>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>> http://lists.PLUG.phoenix.az._**_us/mailman/listinfo/plug-__** >>>>> discuss >>>>> >>>>> > >>>>> >>>>> >>>>> >>>> >>>> -- >>>> -Eric 'shubes' >>>> >>>> ------------------------------**--------------------- >>>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.**phoenix.az.us >>>> To subscribe, unsubscribe, or to change your mail settings: >>>> http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss >>>> >>> >>> >>> --------------------------------------------------- >>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >>> To subscribe, unsubscribe, or to change your mail settings: >>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >>> >> >> >> >> -- >> (602) 791-8002 Android >> (623) 239-3392 Skype >> (623) 688-3392 Google Voice >> ** >> HomeSmartInternational.com >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >> > > > > > -- --- Ben python -c "exec(\"import math\\nprint ''.join(map(lambda x: chr(x), ( (ord('a')-(3*5)), int(math.sqrt(math.pi*76)*5+2), int(math.ceil(math.e)*28), int(math.floor(math.e)*35), long(abs(4%3*35+3)*2))))\")"**