That should be ok.
Be sure you have your ftp server configured such that they cannot access
folders above/across their home folder. File permissions may handle
this, but probably will not (many things are world readable).
Also, be sure that they cannot login to a command prompt by setting
their login shell to /sbin/nologin (might vary with distro). This is
commonly done for service accounts (apache, etc).
On 12/28/2011 03:38 PM, Mark Phillips wrote:
Thanks to everyone for their suggestions. Based on some constraints,
your advice, some googling, I arrived at this set-up, but I am not sure
how secure it is.
1. The web creation software (iWeb on a Mac) only supports ftp and sftp
to upload a site.
2. iWeb does not support the use of "versions" for the web pages. By
that I mean iWeb is strictly one way - create a site and publish it. It
cannot import an iWeb site, it has to start at the beginning. One can
create a site and publish it, then edit the site, and publish again, but
it cannot import or use a previous version of the site as a starting
point. (I mention this because Eric suggested using git, which sounded
like a great idea, but alas
I have this setup, but I could use some advice on how to make it more
secure....
1. User account fred
2. fred's home is /var/www/domain/fred
3. /var/www/domain/fred has owner:group fred:fred
4. Document root is /var/www/domain/fred
Thanks,
Mark
On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert <e...@shubes.net
<mailto:e...@shubes.net>> wrote:
On 12/27/2011 10:46 PM, Mark Phillips wrote:
I need to give a user access to my web server via sftp to upload web
site changes. What is the best way to do this? I have several other
sites on the same server, so I want to prevent them or anyone
else who
gains access to their account from being able to make changes to
those
sites or other parts of the server.
Thanks,
Mark
I use vsftp, which can be configured to allow users access only to
their web site's tree. sftp might be able to do the same.
Then, create their user such that their home directory is their web
site's directory, and they cannot log in to the system (only vsftp)
with an /etc/passwd entry like this:
vsftpuser:x:511:511::/var/__vhosts/domain.com/docs:/sbin/__nologin
<http://domain.com/docs:/sbin/nologin>
Files in their web site are owned by their user, with read
permissions for 'other' (o+r), which allows apache (or nginx) to
read them.
--
-Eric 'shubes'
------------------------------__---------------------
PLUG-discuss mailing list - plug-disc...@lists.plug.__phoenix.az.us
<mailto:PLUG-discuss@lists.plug.phoenix.az.us>
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.__us/mailman/listinfo/plug-__discuss
<http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>
--
-Eric 'shubes'
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
