vsftpd supports all the same (standard) protocols, and will work with
anything that uses ftp or sftp.
On 12/29/2011 07:46 PM, Mark Phillips wrote:
Eric,
vsftp is in the Debian repositories, but the developer's tool does not
use it...only sftp or ftp. The program is iWeb on the mac.
However, the article
http://www.debian-administration.org/articles/590 did the trick for me!
Mark
On Thu, Dec 29, 2011 at 12:20 PM, Eric Shubert <[email protected]
<mailto:[email protected]>> wrote:
Oops. Sorry Mark. I forgot that you said sftp, which is part of
OpenSSH. I'm using vsftp, which does not require a login shell.
Probably why it's considered "very secure". ;) I expect that if
vsftp is in a debian repo, you could use that instead of sftp.
vsftpd is stock in the RHEL repos.
On 12/29/2011 08:04 AM, Mark Phillips wrote:
Eric,
The Debian equivalent to /sbin/nologin appears to be /bin/false.
When I
tried that, I could not sftp or ssh or gain access to the machine in
anyway. I am not sure if there is another Debian shell that
allows sftp
but not ssh.
Thanks!
Mark
On Wed, Dec 28, 2011 at 9:54 PM, Eric Shubert <[email protected]
<mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> wrote:
That should be ok.
Be sure you have your ftp server configured such that they
cannot
access folders above/across their home folder. File
permissions may
handle this, but probably will not (many things are world
readable).
Also, be sure that they cannot login to a command prompt by
setting
their login shell to /sbin/nologin (might vary with distro).
This is
commonly done for service accounts (apache, etc).
On 12/28/2011 03:38 PM, Mark Phillips wrote:
Thanks to everyone for their suggestions. Based on some
constraints,
your advice, some googling, I arrived at this set-up,
but I am
not sure
how secure it is.
1. The web creation software (iWeb on a Mac) only
supports ftp
and sftp
to upload a site.
2. iWeb does not support the use of "versions" for the
web pages. By
that I mean iWeb is strictly one way - create a site and
publish
it. It
cannot import an iWeb site, it has to start at the
beginning.
One can
create a site and publish it, then edit the site, and
publish
again, but
it cannot import or use a previous version of the site
as a starting
point. (I mention this because Eric suggested using git,
which
sounded
like a great idea, but alas
I have this setup, but I could use some advice on how to
make it
more
secure....
1. User account fred
2. fred's home is /var/www/domain/fred
3. /var/www/domain/fred has owner:group fred:fred
4. Document root is /var/www/domain/fred
Thanks,
Mark
On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
<mailto:[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>> wrote:
On 12/27/2011 10:46 PM, Mark Phillips wrote:
I need to give a user access to my web server
via sftp
to upload web
site changes. What is the best way to do this? I
have
several other
sites on the same server, so I want to prevent
them or
anyone
else who
gains access to their account from being able to
make
changes to
those
sites or other parts of the server.
Thanks,
Mark
I use vsftp, which can be configured to allow users
access
only to
their web site's tree. sftp might be able to do the
same.
Then, create their user such that their home
directory is
their web
site's directory, and they cannot log in to the
system (only
vsftp)
with an /etc/passwd entry like this:
vsftpuser:x:511:511::/var/______vhosts/domain.com/docs:/sbin/______nologin
<http://domain.com/docs:/sbin/____nologin> <http://domain.com/docs:/sbin/____nologin
<http://domain.com/docs:/sbin/__nologin>>
<http://domain.com/docs:/sbin/____nologin
<http://domain.com/docs:/sbin/__nologin>
<http://domain.com/docs:/sbin/__nologin
<http://domain.com/docs:/sbin/nologin>>>
Files in their web site are owned by their user,
with read
permissions for 'other' (o+r), which allows apache
(or nginx) to
read them.
--
-Eric 'shubes'
------------------------------______---------------------
PLUG-discuss mailing list -
[email protected].__phoe____nix.az.us
<http://phoe__nix.az.us> <http://phoenix.az.us>
<mailto:PLUG-discuss@lists.
<mailto:PLUG-discuss@lists.>__p__lug.phoenix.az.us
<http://plug.phoenix.az.us>
<mailto:PLUG-discuss@lists.__plug.phoenix.az.us
<mailto:[email protected]>>>
To subscribe, unsubscribe, or to change your mail
settings:
http://lists.PLUG.phoenix.az.______us/mailman/listinfo/plug-______discuss
<http://lists.PLUG.phoenix.az.____us/mailman/listinfo/plug-____discuss
<http://lists.PLUG.phoenix.az.__us/mailman/listinfo/plug-__discuss
<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>>>
--
-Eric 'shubes'
------------------------------____---------------------
PLUG-discuss mailing list -
[email protected].__phoe__nix.az.us <http://phoenix.az.us>
<mailto:PLUG-discuss@lists.__plug.phoenix.az.us
<mailto:[email protected]>>
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.____us/mailman/listinfo/plug-____discuss
<http://lists.PLUG.phoenix.az.__us/mailman/listinfo/plug-__discuss
<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>>
--
-Eric 'shubes'
------------------------------__---------------------
PLUG-discuss mailing list - [email protected].__phoenix.az.us
<mailto:[email protected]>
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.__us/mailman/listinfo/plug-__discuss
<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
--
-Eric 'shubes'
---------------------------------------------------
PLUG-discuss mailing list - [email protected]
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
