On Wed, Dec 11, 2002 at 05:50:46PM -0800, [EMAIL PROTECTED] wrote: > Hello, I've been reading many documents on chroot and ssh namely: > > http://chrootssh.sourceforge.net/docs/chrootedsftp.html > > http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-ssh-env.en.html > http://www.coding-zone.com/chroot+sftp-server.patch > > and see how one builds a users chroot for sftp however I still DO NOT see > how to set up sftp for a user to admin their own site. Ok I suggest not to patch your sshd cause then your on your own to build and implement the security fixes and that is a hard work. Instead I suggest to use scponly or a similar shell [1] You can use scponly to allow normal sftp and scp aktions or as a add-on chroot the stuff. For the chroot you've to set up a whole enviroment like the once descripted in the URLs you postet.
> the trouble is ssh wants root to own the chroot and apache wants to own > the domain so is this not possible? I know hosting companies with tons of > sites segment user access from one another; perhaps via chmod + chown > the goal is not to push users content for them out of a standard home jail > and for them to only see their site and not be able to read etc others. > can someone recommend a faq loosely based on the subject. one from a > debian box would be a plus. Ok you can not have a chroot like it is possible with ftp where all the standard commands (ls, chown, del etc.) are implementet in the server software itself. But you can restrict the access to parts of the system with the normal unix system. Important for that is that Linux (and otehr Unix systems) proof the access rights from left to right (user-group-world) and the first one matches will be used. So lets say we have a Group for untrusted users named utrust. This group contains the user baduser1,baduser2 etc. Our sample directory has the following setup: rwx---r-x baduser1:utrust baduser1 tries to change into this directory so Linux checks the user rights first and we have a matching username/uid so next we look at the right given to that user. In this case -x is set wich means the user can change into the directory and so the cd command will be successfull. Now baduser2 tries to change into the same directory and Linux checks the user wich does not macht so it will look at the group and hey the user is in the group utrust so the group rights will apply. No rights for this group on this directory so the cd command will report access denied and stay in the pwd. So with a small concept you can setup a quite secure enviroment where no shell or sftp/scp user can access the files from another user. Before you start your work be prepared that there are other ways to circumvent these proctions for example think about cgi scripts running with the uid of the webserver. HTH Sven [1] http://sublimation.org/scponly/ -- sig wurde betriebsbedingt gekuendigt Apt-rpm packages for RedHat: http://www.hoaxter.de/aptrpm/index.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
