On Sat, May 20, 2006 at 02:14:34PM +0100, Gaby vanhegan wrote:
> On 20 May 2006, at 00:44, Stuart Henderson wrote:
>
> > move the files under /var/www, and nfs mount to 127.0.0.1 back
> > into the homes? you probably want to look at amd for this.
> > of course the ftpd could sit on another machine if you want.
>
> This means that I'd need an nfs mount point for each website running
> on that machine (a lot more than 80), and also requiring the use of nfs.
>
> > moving the whole homes under /var/www is simpler and presumably
> > more robust, of course... and hey, it's only 80.
>
> Which defeats the object of what I'm trying to achieve; user's
> websites (and only their websites) are inside the apache chroot, so
> in the event of a php or apache exploit, only their websites are
> exposed, not their entire home directory or Maildir.
>
> Something's got to give here. I suspect that I'm going to have to un-
> chroot the ftp daemon. Is there an ftpd somewhere that can prevent
> users from looking at certain directories? For example, I would like
> to limit access only to /home/username and /var/www/home/username in
> ftpd, and prevent access to places like /etc, /usr/local, and so on.
A lot of FTP daemons can do that, but I don't really see the point. The
protections they offer might or might not be circumventable, but nothing
interesting should be readable anyway.
Anyway, ISTR that ProFTPd could do that; I'm quite certain neither stock
ftpd nor vsftpd can.
Joachim
