-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
On 12/08/18 14:55, mett wrote: > I m wondering about the best way to restrict a user after he has > ssh'd into his web folder. I solved this problem a different way. Created a VM just for the required user(s). They needed to provide their static IP address and a public key for the authorized_keys file. Only they could login to their own VM and only from a trusted IP address with their private key (hopefully protected with a decent password/passphrase). The VM mounted particular directories so that the user could access those alone in their restricted VM without any direct access to the main host that has shared and non-shared files for others. As the VM spins up, so to speak, a process mounts the required directories as the correct user and if they adjust those files, then the main server will get those adjustments, but they cannot change ownership of any file (they can, but it won't propagate to the main server). There are still risks, they can be bad and place files in their own areas on the server that might try to do something that would be frowned upon, such as trying to break security with some kind 0f executable code (perhaps website code). Some trust is needed, but if they abuse that trust and get found out, then there would be hell to pay as I'll cut them off completely and only allow update to files much less directly. Cheers AndrewM -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCW7tx2gAKCRCoFmvLt+/i +6+2AQC/9mUoP9hJtaNa4FbsBl2AJm5n4gTp7I9YPrhXOirtCQD8D3upPY9h6mky E1CvUz/RUCn7rQmz0BkKXTvVl1okH+E= =JKdL -----END PGP SIGNATURE----- _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng