ChatGPT gave a more complete answer than I do below (the question was:
This person is using vhost, and thinks he wants to chroot to the docroot
of the vhost when the user logs in. What do you think of that?)
(I never thought I'd be pointing people to an AI for answers! ;-)
On 10/22/24 10:42, Rusty Carruth via PLUG-discuss wrote:
One thing I don't understand, below.
On 10/22/24 10:25, Keith Smith via PLUG-discuss wrote:
Hi,
I appreciate all the feedback. There is more to the story.
....
The 3 things I think I need to accomplish:
1) Add a user and configure it to use SSH.
2) Configure each vhost to use PHP-FPM.
3) Limit the User to the docroot of it's virtual host. (ChrootDirectory)
I don't understand # 3. Let me say what I think you said: you have
(some number of) virtual machines. Or do you mean that thing that
allows you to run more than one web address from the same IP address?
In either case, why do you need to chroot to docroot? You do realize
that docroot must then have EVERYTHING the user needs - all programs,
all devices, everything. So you're going to need /dev, /bin,
/usr/bin, and so forth or the user will be dead in the water with no
commands - shoot, not even bash will be there to try to type commands!
If you're doing the chroot already, and its failing, then that's
probably because bash isn't there, nor is anything else you need...
I am using a clone of the LAMP server so I am going to remove it and
create another close and start by trying to create a use that has SSH
access and a home directory.
If you are using virtual machines, just clone it in the virtual
machine - but then, I'm thinking you don't mean virtual machine, you
mean that other thing :-)
Then I think I should work on limiting that user to the vhost that is
designated to work with.
So, if you mean not virtual machine but that other thing, then you're
either going to have to copy all the stuff I talk about above in to
the docroot tree (which I still think will cause more problems than it
will fix), or mount the stuff above inside the docroot, or figure out
how to change permissions and ownership so that the user can only
change the stuff in their docroot. Perhaps group ownership can save
the day here, assuming you want ALL files in ALL web servers to be
owned by whoever is running Apache, then create 2 or more groups,
change all group ownership to the NON-User group, then
change group ownership of all files in your docroot to the group of
the user (obviously you're going to have to change the user to have
that group too), then change permissions to something like 770 for all
directories everywhere (or 775, or whatever) and 660 for all files.
Done, supposedly ;-)
Then finish up by installing configuring the vhost to use PHP-FPM.
Any thought are much appreciated!!
Keith
---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
