[Chugalug] Running multi sites on one(non virt) machine

David White dwrudy at gmail.com
Mon Mar 17 14:43:11 UTC 2014


I've also always had issues with chroot, mainly because the chroot leads to
a major headache in keeping system files up-to-date. From my experience,
anyway, you basically have to create an entire mini-Linux system in the
chroot in order to provide the functionality for users to be able to login
(SSH binaries and their dependencies, etc....).

chroot 700 isn't a bad idea, except that both Apache and the User needs to
be able to read the files. Maybe I could play around with groups and group
memberships, though.... that's not a bad idea.


On Mon, Mar 17, 2014 at 10:26 AM, William Roush <william.roush at roushtech.net
> wrote:

>  I've always had some problems with chroot and it's (understandable)
> permission limitations...
>
> Mainly with a deploy which a user can edit their chrooted folder, and not
> sub folders of the chroot, leads to headaches because I have to support
> changes in workflow to handle that.
>
> William Roushwilliam.roush at roushtech.net423-463-0592
> http://www.roushtech.net/blog/
>
>  On 3/17/2014 10:21 AM, Ed King wrote:
>
> give each sftp user their own chroot folder
>
>
>   ------------------------------
>  *From:* David White <dwrudy at gmail.com> <dwrudy at gmail.com>
> *To:* Chattanooga Unix Gnu Android Linux Users Group
> <chugalug at chugalug.org> <chugalug at chugalug.org>
> *Sent:* Monday, March 17, 2014 9:55 AM
> *Subject:* Re: [Chugalug] Running multi sites on one(non virt) machine
>
>  I'm digging up an old thread. Originally, I searched my Chugalug
> archives for OSSEC, but this email thread (ironically) brings up the real
> reason I was searching for OSSEC - figuring out a better way to secure my
> shared webserver infrastructure.
>
>  Because right now, the single shared server I operate is anything but
> secure other than a few scripts monitoring for file hash changes and having
> password auth turned off, only relying on key-based auth, and blocking IP
> addresses that repeatedly try to brute force the machine (I also manage
> dedicated servers which is obviously much more preferable, security-wise).
>
>  I really need a way to separate permissions and visibility from 1 user's
> directory to another's (user X shouldn't be able to see user Y's stuff when
> they login via sFTP). Even though I have my user's stuff separated in
> different directories, any user - if they wanted to and knew how, could
> navigate *up* the directory tree and then over into another user's
> folder.
>
>  Permissions are set so that they can't actually edit the files, but
> reading the files is bad enough... This has always been in the back of my
> mind as an issue I need to deal with - and I hate cPanel, and refuse to use
> it.
>
>  I'll take a look at the Webmin idea, as well as Apache vhosts... I think
> I remember looking into that a year or two ago, and not getting anywhere
> with it. I'll try another attempt.
>
>
>
> On Mon, Jun 24, 2013 at 10:50 AM, Matt Keys <mk6032 at yahoo.com> wrote:
>
>  Thanks for the tip on etckeeper! Tripwire / OSSEC hash files and tell
> you if the hash has changed but they don't give you the actual change. This
> should work much better!
>
> Regards,
> Matt
>
>
> On 06/23/2013 02:52 PM, Jason Brown wrote:
>
> I like the way virtualmin <http://www.virtualmin.com/> (A webmin addon)
> handles this, even if I don't always use the software.  You can use it for
> configuration, then shut it down when not needed if it's overhead is in the
> way.
>
> In short, each website / apache virtual host gets it's own user, unless it
> is a sub-server under and existing user. It's a good data segmentation
> model.
>
> For web site setup operations it is also a useful learning tool, change an
> option and see what it did in the configuration file(s). etckeeper + git is
> your friend here.
>
> --Jason
>
>
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
>
>
>  --
>  David White
> Founder & CEO
>
>  *Develop CENTS *
>  Computing, Equipping, Networking, Training & Supporting
>  Nonprofit Organizations Worldwide
> http://developcents.com
> 423-693-4234
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
>
>
> _______________________________________________
> Chugalug mailing listChugalug at chugalug.orghttp://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>


-- 
David White
Founder & CEO

*Develop CENTS *
Computing, Equipping, Networking, Training & Supporting
Nonprofit Organizations Worldwide
http://developcents.com
423-693-4234
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20140317/99b07faa/attachment-0001.html>


More information about the Chugalug mailing list