[Chugalug] Running multi sites on one(non virt) machine

William Roush william.roush at roushtech.net
Mon Mar 17 14:49:37 UTC 2014


To be honest I'd throw Serv-U at it and call it a day. :\

William Roush
william.roush at roushtech.net
423-463-0592

http://www.roushtech.net/blog/


On 3/17/2014 10:43 AM, David White wrote:
> I've also always had issues with chroot, mainly because the chroot 
> leads to a major headache in keeping system files up-to-date. From my 
> experience, anyway, you basically have to create an entire mini-Linux 
> system in the chroot in order to provide the functionality for users 
> to be able to login (SSH binaries and their dependencies, etc....).
>
> chroot 700 isn't a bad idea, except that both Apache and the User 
> needs to be able to read the files. Maybe I could play around with 
> groups and group memberships, though.... that's not a bad idea.
>
>
> On Mon, Mar 17, 2014 at 10:26 AM, William Roush 
> <william.roush at roushtech.net <mailto:william.roush at roushtech.net>> wrote:
>
>     I've always had some problems with chroot and it's
>     (understandable) permission limitations...
>
>     Mainly with a deploy which a user can edit their chrooted folder,
>     and not sub folders of the chroot, leads to headaches because I
>     have to support changes in workflow to handle that.
>
>     William Roush
>     william.roush at roushtech.net  <mailto:william.roush at roushtech.net>
>     423-463-0592  <tel:423-463-0592>
>
>     http://www.roushtech.net/blog/
>
>
>     On 3/17/2014 10:21 AM, Ed King wrote:
>>     give each sftp user their own chroot folder
>>
>>
>>     ------------------------------------------------------------------------
>>     *From:* David White <dwrudy at gmail.com> <mailto:dwrudy at gmail.com>
>>     *To:* Chattanooga Unix Gnu Android Linux Users Group
>>     <chugalug at chugalug.org> <mailto:chugalug at chugalug.org>
>>     *Sent:* Monday, March 17, 2014 9:55 AM
>>     *Subject:* Re: [Chugalug] Running multi sites on one(non virt)
>>     machine
>>
>>     I'm digging up an old thread. Originally, I searched my Chugalug
>>     archives for OSSEC, but this email thread (ironically) brings up
>>     the real reason I was searching for OSSEC - figuring out a better
>>     way to secure my shared webserver infrastructure.
>>
>>     Because right now, the single shared server I operate is anything
>>     but secure other than a few scripts monitoring for file hash
>>     changes and having password auth turned off, only relying on
>>     key-based auth, and blocking IP addresses that repeatedly try to
>>     brute force the machine (I also manage dedicated servers which is
>>     obviously much more preferable, security-wise).
>>
>>     I really need a way to separate permissions and visibility from 1
>>     user's directory to another's (user X shouldn't be able to see
>>     user Y's stuff when they login via sFTP). Even though I have my
>>     user's stuff separated in different directories, any user - if
>>     they wanted to and knew how, could navigate _up_ the directory
>>     tree and then over into another user's folder.
>>
>>     Permissions are set so that they can't actually edit the files,
>>     but reading the files is bad enough... This has always been in
>>     the back of my mind as an issue I need to deal with - and I hate
>>     cPanel, and refuse to use it.
>>
>>     I'll take a look at the Webmin idea, as well as Apache vhosts...
>>     I think I remember looking into that a year or two ago, and not
>>     getting anywhere with it. I'll try another attempt.
>>
>>
>>
>>     On Mon, Jun 24, 2013 at 10:50 AM, Matt Keys <mk6032 at yahoo.com
>>     <mailto:mk6032 at yahoo.com>> wrote:
>>
>>         Thanks for the tip on etckeeper! Tripwire / OSSEC hash files
>>         and tell you if the hash has changed but they don't give you
>>         the actual change. This should work much better!
>>
>>         Regards,
>>         Matt
>>
>>
>>         On 06/23/2013 02:52 PM, Jason Brown wrote:
>>>         I like the way virtualmin <http://www.virtualmin.com/> (A
>>>         webmin addon) handles this, even if I don't always use the
>>>         software.  You can use it for configuration, then shut it
>>>         down when not needed if it's overhead is in the way.
>>>
>>>         In short, each website / apache virtual host gets it's own
>>>         user, unless it is a sub-server under and existing user.
>>>         It's a good data segmentation model.
>>>
>>>         For web site setup operations it is also a useful learning
>>>         tool, change an option and see what it did in the
>>>         configuration file(s). etckeeper + git is your friend here.
>>>
>>>         --Jason
>>>
>>
>>
>>         _______________________________________________
>>         Chugalug mailing list
>>         Chugalug at chugalug.org <mailto:Chugalug at chugalug.org>
>>         http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>
>>
>>
>>
>>     -- 
>>     David White
>>     Founder & CEO
>>     *
>>     *
>>     *Develop CENTS *
>>     Computing, Equipping, Networking, Training & Supporting
>>     Nonprofit Organizations Worldwide
>>     http://developcents.com <http://developcents.com/>
>>     423-693-4234 <tel:423-693-4234>
>>
>>     _______________________________________________
>>     Chugalug mailing list
>>     Chugalug at chugalug.org <mailto:Chugalug at chugalug.org>
>>     http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>
>>
>>
>>
>>     _______________________________________________
>>     Chugalug mailing list
>>     Chugalug at chugalug.org  <mailto:Chugalug at chugalug.org>
>>     http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
>     _______________________________________________
>     Chugalug mailing list
>     Chugalug at chugalug.org <mailto:Chugalug at chugalug.org>
>     http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
>
>
> -- 
> David White
> Founder & CEO
> *
> *
> *Develop CENTS *
> Computing, Equipping, Networking, Training & Supporting
> Nonprofit Organizations Worldwide
> http://developcents.com <http://developcents.com/>
> 423-693-4234
>
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20140317/0b469141/attachment.html>


More information about the Chugalug mailing list