Eric, vsftp is in the Debian repositories, but the developer's tool does not use it...only sftp or ftp. The program is iWeb on the mac.
However, the article http://www.debian-administration.org/articles/590 did the trick for me! Mark On Thu, Dec 29, 2011 at 12:20 PM, Eric Shubert <[email protected]> wrote: > Oops. Sorry Mark. I forgot that you said sftp, which is part of OpenSSH. > I'm using vsftp, which does not require a login shell. Probably why it's > considered "very secure". ;) I expect that if vsftp is in a debian repo, > you could use that instead of sftp. vsftpd is stock in the RHEL repos. > > > On 12/29/2011 08:04 AM, Mark Phillips wrote: > >> Eric, >> >> The Debian equivalent to /sbin/nologin appears to be /bin/false. When I >> tried that, I could not sftp or ssh or gain access to the machine in >> anyway. I am not sure if there is another Debian shell that allows sftp >> but not ssh. >> >> Thanks! >> >> Mark >> >> On Wed, Dec 28, 2011 at 9:54 PM, Eric Shubert <[email protected] >> <mailto:[email protected]>> wrote: >> >> That should be ok. >> >> Be sure you have your ftp server configured such that they cannot >> access folders above/across their home folder. File permissions may >> handle this, but probably will not (many things are world readable). >> >> Also, be sure that they cannot login to a command prompt by setting >> their login shell to /sbin/nologin (might vary with distro). This is >> commonly done for service accounts (apache, etc). >> >> >> On 12/28/2011 03:38 PM, Mark Phillips wrote: >> >> Thanks to everyone for their suggestions. Based on some >> constraints, >> your advice, some googling, I arrived at this set-up, but I am >> not sure >> how secure it is. >> >> 1. The web creation software (iWeb on a Mac) only supports ftp >> and sftp >> to upload a site. >> 2. iWeb does not support the use of "versions" for the web pages. >> By >> that I mean iWeb is strictly one way - create a site and publish >> it. It >> cannot import an iWeb site, it has to start at the beginning. >> One can >> create a site and publish it, then edit the site, and publish >> again, but >> it cannot import or use a previous version of the site as a >> starting >> point. (I mention this because Eric suggested using git, which >> sounded >> like a great idea, but alas >> >> I have this setup, but I could use some advice on how to make it >> more >> secure.... >> >> 1. User account fred >> 2. fred's home is /var/www/domain/fred >> 3. /var/www/domain/fred has owner:group fred:fred >> 4. Document root is /var/www/domain/fred >> >> Thanks, >> >> Mark >> >> On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert <[email protected] >> <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> wrote: >> >> On 12/27/2011 10:46 PM, Mark Phillips wrote: >> >> I need to give a user access to my web server via sftp >> to upload web >> site changes. What is the best way to do this? I have >> several other >> sites on the same server, so I want to prevent them or >> anyone >> else who >> gains access to their account from being able to make >> changes to >> those >> sites or other parts of the server. >> >> Thanks, >> >> Mark >> >> >> I use vsftp, which can be configured to allow users access >> only to >> their web site's tree. sftp might be able to do the same. >> >> Then, create their user such that their home directory is >> their web >> site's directory, and they cannot log in to the system (only >> vsftp) >> with an /etc/passwd entry like this: >> >> vsftpuser:x:511:511::/var/____**vhosts/domain.com/docs:/sbin/_** >> ___nologin <http://domain.com/docs:/sbin/____nologin> < >> http://domain.com/docs:/sbin/**__nologin<http://domain.com/docs:/sbin/__nologin> >> > >> >> <http://domain.com/docs:/sbin/**__nologin<http://domain.com/docs:/sbin/__nologin> >> >> >> <http://domain.com/docs:/sbin/**nologin<http://domain.com/docs:/sbin/nologin> >> >> >> >> >> Files in their web site are owned by their user, with read >> permissions for 'other' (o+r), which allows apache (or nginx) >> to >> read them. >> >> -- >> -Eric 'shubes' >> >> >> ------------------------------**____--------------------- >> PLUG-discuss mailing list - >> [email protected].__phoe**__nix.az.us<http://phoe__nix.az.us>< >> http://phoenix.az.us> >> >> <mailto:PLUG-discuss@lists.__p**lug.phoenix.az.us<http://plug.phoenix.az.us> >> >> >> <mailto:PLUG-discuss@lists.**plug.phoenix.az.us<[email protected]> >> >> >> >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.PLUG.phoenix.az._**___us/mailman/listinfo/plug-__** >> __discuss >> >> <http://lists.PLUG.phoenix.az.**__us/mailman/listinfo/plug-__** >> discuss >> >> <http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss> >> >> >> >> >> >> >> -- >> -Eric 'shubes' >> >> ------------------------------**__--------------------- >> PLUG-discuss mailing list - >> [email protected].__phoe**nix.az.us<http://phoenix.az.us> >> >> <mailto:PLUG-discuss@lists.**plug.phoenix.az.us<[email protected]> >> > >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.PLUG.phoenix.az._**_us/mailman/listinfo/plug-__**discuss >> >> <http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss> >> > >> >> >> > > -- > -Eric 'shubes' > > ------------------------------**--------------------- > PLUG-discuss mailing list - > [email protected].**phoenix.az.us<[email protected]> > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss> >
--------------------------------------------------- PLUG-discuss mailing list - [email protected] To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
