Hello,
Someone far more experienced than me challenged my take on virtual
hosting setups.
I am accustomed to having virtual users, not real users, doing stuff
with MySQL backends etc.
My ideas now seem to have corrupted that what made me choose OpenBSD in
the first place.
I would like to setup a multi user (real accounts) hosting machine
without using any MySQL/web-gui kind of user management.
For you perhaps intuitive and elementary stuff, for me a bold and new
undertaking.
So I would really like some advise on this from those of you that have
been working with non-virtual hosting setups all along.
1) What kind of permission scheme is sane for non-jailed user accounts
(SSH+SFTP)
These are website owners that need nothing fancy but being able to edit
their site(s), manage their e-mail and edit their zone-files.
All of this is now virtual (and with regular FTP chrooted). My setup so
far consists of the user accounts in /home - owned by username:username
and chmodded 700.
In their homedir there is a `ln -s` to their /var/www/home/username
webspace. That webspace is chowned username:www and chmodded 770 so
httpd can access/write to their dir as well.
Is that advisable / workable? Other ideas?
2) Chroot jails / limited shells - do's and don'ts
I understand the implications of chroot jails. I understand they are not
worth the risk. Which is a shame really as they bring certain
functionality (or limits if you will) that I would consider nice to have.
How do you prevent people from snooping around the system, looking for
that sloppy permissioned file / gathering intelligence about your
clientbase? All by setting permissions manually?
How do you prevent them from compiling and installing all sorts of things?
Is it possible/maintainable at all without chrootjails for your users?
3) Mail setups
I can find lots of setups with virtual mailusers. I have been
succesfully using a Courier-imap/Postfix/MySQL setup for several years
now, connected to a webbased mailmanagement tool.
If I was to drop all that in favor of a more 'core' OpenBSD setup - what
would be a nice maintainable (both for users and myself) way to offer
single users multiple domains / mailboxes?
4) Other considerations
Any advice on what to avoid and what to certainly do/check/follow up on
is appreciated.
I will certainly miss stuff that might present a problem down the road.
For instance things like cronjobs- do you limit their use by custom
scripts or do you just monitor abuse?
I am aware of things like 'accounting', 'quota' and 'ulimit' - any other
handy utils I might check?
Thanks,
Matt
