Oops. Sorry Mark. I forgot that you said sftp, which is part of OpenSSH.
I'm using vsftp, which does not require a login shell. Probably why it's
considered "very secure". ;) I expect that if vsftp is in a debian repo,
you could use that instead of sftp. vsftpd is stock in the RHEL repos.
On 12/29/2011 08:04 AM, Mark Phillips wrote:
Eric,
The Debian equivalent to /sbin/nologin appears to be /bin/false. When I
tried that, I could not sftp or ssh or gain access to the machine in
anyway. I am not sure if there is another Debian shell that allows sftp
but not ssh.
Thanks!
Mark
On Wed, Dec 28, 2011 at 9:54 PM, Eric Shubert <[email protected]
<mailto:[email protected]>> wrote:
That should be ok.
Be sure you have your ftp server configured such that they cannot
access folders above/across their home folder. File permissions may
handle this, but probably will not (many things are world readable).
Also, be sure that they cannot login to a command prompt by setting
their login shell to /sbin/nologin (might vary with distro). This is
commonly done for service accounts (apache, etc).
On 12/28/2011 03:38 PM, Mark Phillips wrote:
Thanks to everyone for their suggestions. Based on some constraints,
your advice, some googling, I arrived at this set-up, but I am
not sure
how secure it is.
1. The web creation software (iWeb on a Mac) only supports ftp
and sftp
to upload a site.
2. iWeb does not support the use of "versions" for the web pages. By
that I mean iWeb is strictly one way - create a site and publish
it. It
cannot import an iWeb site, it has to start at the beginning.
One can
create a site and publish it, then edit the site, and publish
again, but
it cannot import or use a previous version of the site as a starting
point. (I mention this because Eric suggested using git, which
sounded
like a great idea, but alas
I have this setup, but I could use some advice on how to make it
more
secure....
1. User account fred
2. fred's home is /var/www/domain/fred
3. /var/www/domain/fred has owner:group fred:fred
4. Document root is /var/www/domain/fred
Thanks,
Mark
On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert <[email protected]
<mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> wrote:
On 12/27/2011 10:46 PM, Mark Phillips wrote:
I need to give a user access to my web server via sftp
to upload web
site changes. What is the best way to do this? I have
several other
sites on the same server, so I want to prevent them or
anyone
else who
gains access to their account from being able to make
changes to
those
sites or other parts of the server.
Thanks,
Mark
I use vsftp, which can be configured to allow users access
only to
their web site's tree. sftp might be able to do the same.
Then, create their user such that their home directory is
their web
site's directory, and they cannot log in to the system (only
vsftp)
with an /etc/passwd entry like this:
vsftpuser:x:511:511::/var/____vhosts/domain.com/docs:/sbin/____nologin
<http://domain.com/docs:/sbin/__nologin>
<http://domain.com/docs:/sbin/__nologin
<http://domain.com/docs:/sbin/nologin>>
Files in their web site are owned by their user, with read
permissions for 'other' (o+r), which allows apache (or nginx) to
read them.
--
-Eric 'shubes'
------------------------------____---------------------
PLUG-discuss mailing list -
[email protected].__phoe__nix.az.us <http://phoenix.az.us>
<mailto:PLUG-discuss@lists.__plug.phoenix.az.us
<mailto:[email protected]>>
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.____us/mailman/listinfo/plug-____discuss
<http://lists.PLUG.phoenix.az.__us/mailman/listinfo/plug-__discuss
<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>>
--
-Eric 'shubes'
------------------------------__---------------------
PLUG-discuss mailing list - [email protected].__phoenix.az.us
<mailto:[email protected]>
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.__us/mailman/listinfo/plug-__discuss
<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
--
-Eric 'shubes'
---------------------------------------------------
PLUG-discuss mailing list - [email protected]
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
