Webserver users

[kornp]

I have apache / PHP / mysql running, and am now planning on hosting a few websites for people, what I would like to do, is give them a username so they can ftp to their home dir, and ssh to it, but so that they can't see anywhere else on the server. Bascially i want them to have full access in their home dir (/var/www/htdocs/usernam) and nowhere else, not even read priveleges. Will I have to chmod o-r the whole filesystem to do this, or is there an easier way?

[tolstoy]

Look for the chroot (change root) HOWTOs. If you are using protfpd as your ftp package, jailing a user into their home directory is very very easy. Look at proftpd's online documentation. It's very straightforward.

I'm pretty sure you can also chroot with ssh as well, though I have never tried to do it.

A third senario is to set up a restricted shell in which you define not only what permissions users have to their home directories, but also what actual commands they can run (you can, for instance, only allow users to do an 'ls' and nothing else if you want).

If you want the code for the restricted shell, let me know and I'll post it. Using chroot, however, is probably the best solution.

[kornp]

Thanx for the info, i'll give it a shot and let you know the results.

[tolstoy]

[quote author=PK link=board=4;threadid=5848;start=0#55798 date=1039833808]
Thanx for the info, i'll give it a shot and let you know the results.
[/quote]

If you're using proftpd let me know. I can help you set your chroot on it. I curently use it to jail my web developer into our webserver's document root so that he cannot browse the entire file system from an ftp session. I believe it is a very comon setup. Most people use chroot on ftp servers that allow anonymous access (or any access for that matter).

[kornp]

Indeed I am using proftpd

[tolstoy]

Setting the chroot jail should be as simple as adding:

Code:

DefaultRoot     ~

to your proftpd.conf either as a global option or to your specific virtual servers. After that, set each home user's directory to their webserver's document root in /etc/passwd.

That should be all there is to it.

[flashingcurser]

Kind of off topic: Could chroot be used to make a dmz on a router box? I was thinking it would be cool to have a family web server on my router box.