On Wed, Mar 25, 2009 at 10:07 PM, Rick Phillips <[email protected]> wrote: > I have a small mail and web server which is used by some paying > customers and also some friends. It currently is running Mandriva > Server 3 which is getting old and I am in the throws of setting up a new > server using Centos 5.2. > > Most of the web based stuff that I serve is based on Joomla but one > customer has had a professional web designer create a new site for him > which I have uploaded and all is working just fine. > > I have never allowed FTP, SFTP nor SSH access to the server for security
Recent versions of openssh (5.0 onwards at least, possibly some of the later 4.x series too) allow you to set up per-user chrooting; have an internal sftpd which can run in the chroot without you needing to do anything to set up the chroot; and allow you to stipulate that user X must run command Y Taken together, this make it fairly easy to give a user (or a group of users) SFTP access, with no possibility[1] of shell access; limited only to their 'homedir' (which can actually be any directory you specify, as long as they have the correct permissions - /var/www/username would work just as well. Searching the web for "openssh internal chroot" shows a few pages talking about how to set this up: http://www.debian-administration.org/articles/590 and http://blogs.techrepublic.com.com/opensource/?p=229 are the top two (for my search, anyway). Both are so brief as to look like summaries rather than detailed walkthroughs, but that's just a function of how little setup there is to do. To lock it down further, you can lock down their access to only certain IPs - via iptables, or via a Match block in sshd_config (or ideally, both). [1] no possibility - aside from, eg, bugs internal to openssh/sftpd that allow the remote user to run arbitrary code, etc. Compared to older ways of trying to force users to only have sftp capacity, this is a godsend. > reasons (other than myself) but this customer wants to directly edit his > new web site from time to time. I don't run C Panel (can't afford it) > nor can I run ISPConfig which has some features missing such as mailing > lists which a couple of clubs I host use. I am looking for suggestions > as to what members might think would be an easy but secure way for this > customer to do what he wants to do - make changes to his web site > directly on the server. > > I run name based virtual domains and I guess I could set all other > folders which other customers use with chmod 700 and perhaps set up his > folder as 750 and make his username part of the apache group. I would > then make his home area his web page folder but I am looking for a > better way - if there is one. > > Would webdav be the ticket although I have never successfully set this > up or is it just as easy for him to use an FTP client using SFTP to > access his web root and make changes? > > Thanks, > > Rick > > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
