[Chugalug] Running multi sites on one(non virt) machine

William Roush william.roush at roushtech.net
Mon Mar 17 14:26:54 UTC 2014


I've always had some problems with chroot and it's (understandable) 
permission limitations...

Mainly with a deploy which a user can edit their chrooted folder, and 
not sub folders of the chroot, leads to headaches because I have to 
support changes in workflow to handle that.

William Roush
william.roush at roushtech.net
423-463-0592

http://www.roushtech.net/blog/


On 3/17/2014 10:21 AM, Ed King wrote:
> give each sftp user their own chroot folder
>
>
> ------------------------------------------------------------------------
> *From:* David White <dwrudy at gmail.com>
> *To:* Chattanooga Unix Gnu Android Linux Users Group 
> <chugalug at chugalug.org>
> *Sent:* Monday, March 17, 2014 9:55 AM
> *Subject:* Re: [Chugalug] Running multi sites on one(non virt) machine
>
> I'm digging up an old thread. Originally, I searched my Chugalug 
> archives for OSSEC, but this email thread (ironically) brings up the 
> real reason I was searching for OSSEC - figuring out a better way to 
> secure my shared webserver infrastructure.
>
> Because right now, the single shared server I operate is anything but 
> secure other than a few scripts monitoring for file hash changes and 
> having password auth turned off, only relying on key-based auth, and 
> blocking IP addresses that repeatedly try to brute force the machine 
> (I also manage dedicated servers which is obviously much more 
> preferable, security-wise).
>
> I really need a way to separate permissions and visibility from 1 
> user's directory to another's (user X shouldn't be able to see user 
> Y's stuff when they login via sFTP). Even though I have my user's 
> stuff separated in different directories, any user - if they wanted to 
> and knew how, could navigate _up_ the directory tree and then over 
> into another user's folder.
>
> Permissions are set so that they can't actually edit the files, but 
> reading the files is bad enough... This has always been in the back of 
> my mind as an issue I need to deal with - and I hate cPanel, and 
> refuse to use it.
>
> I'll take a look at the Webmin idea, as well as Apache vhosts... I 
> think I remember looking into that a year or two ago, and not getting 
> anywhere with it. I'll try another attempt.
>
>
>
> On Mon, Jun 24, 2013 at 10:50 AM, Matt Keys <mk6032 at yahoo.com 
> <mailto:mk6032 at yahoo.com>> wrote:
>
>     Thanks for the tip on etckeeper! Tripwire / OSSEC hash files and
>     tell you if the hash has changed but they don't give you the
>     actual change. This should work much better!
>
>     Regards,
>     Matt
>
>
>     On 06/23/2013 02:52 PM, Jason Brown wrote:
>>     I like the way virtualmin <http://www.virtualmin.com/> (A webmin
>>     addon) handles this, even if I don't always use the software. 
>>     You can use it for configuration, then shut it down when not
>>     needed if it's overhead is in the way.
>>
>>     In short, each website / apache virtual host gets it's own user,
>>     unless it is a sub-server under and existing user. It's a good
>>     data segmentation model.
>>
>>     For web site setup operations it is also a useful learning tool,
>>     change an option and see what it did in the configuration
>>     file(s). etckeeper + git is your friend here.
>>
>>     --Jason
>>
>
>
>     _______________________________________________
>     Chugalug mailing list
>     Chugalug at chugalug.org <mailto:Chugalug at chugalug.org>
>     http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
>
>
> -- 
> David White
> Founder & CEO
> *
> *
> *Develop CENTS *
> Computing, Equipping, Networking, Training & Supporting
> Nonprofit Organizations Worldwide
> http://developcents.com <http://developcents.com/>
> 423-693-4234
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org <mailto:Chugalug at chugalug.org>
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
>
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20140317/648446f0/attachment.html>


More information about the Chugalug mailing list