[Chugalug] Running multi sites on one(non virt) machine

Benjamin Stewart stewartbenjamin at gmail.com
Mon Mar 17 15:31:36 UTC 2014


>From my experience, anyway, you basically have to create an entire
mini-Linux system in the chroot in order to provide the functionality for
users to be able to login (SSH binaries and their dependencies, etc....).

One technique I've heard of (but haven't tried) is to create one
"mini-Linux" master directory, and then link to it for each jail. That way
there's only one place to update.


On Mon, Mar 17, 2014 at 10:43 AM, David White <dwrudy at gmail.com> wrote:

> I've also always had issues with chroot, mainly because the chroot leads
> to a major headache in keeping system files up-to-date. From my experience,
> anyway, you basically have to create an entire mini-Linux system in the
> chroot in order to provide the functionality for users to be able to login
> (SSH binaries and their dependencies, etc....).
>
> chroot 700 isn't a bad idea, except that both Apache and the User needs to
> be able to read the files. Maybe I could play around with groups and group
> memberships, though.... that's not a bad idea.
>
>
> On Mon, Mar 17, 2014 at 10:26 AM, William Roush <
> william.roush at roushtech.net> wrote:
>
>>  I've always had some problems with chroot and it's (understandable)
>> permission limitations...
>>
>> Mainly with a deploy which a user can edit their chrooted folder, and not
>> sub folders of the chroot, leads to headaches because I have to support
>> changes in workflow to handle that.
>>
>> William Roushwilliam.roush at roushtech.net423-463-0592
>> http://www.roushtech.net/blog/
>>
>>  On 3/17/2014 10:21 AM, Ed King wrote:
>>
>> give each sftp user their own chroot folder
>>
>>
>>   ------------------------------
>>  *From:* David White <dwrudy at gmail.com> <dwrudy at gmail.com>
>> *To:* Chattanooga Unix Gnu Android Linux Users Group
>> <chugalug at chugalug.org> <chugalug at chugalug.org>
>> *Sent:* Monday, March 17, 2014 9:55 AM
>> *Subject:* Re: [Chugalug] Running multi sites on one(non virt) machine
>>
>>  I'm digging up an old thread. Originally, I searched my Chugalug
>> archives for OSSEC, but this email thread (ironically) brings up the real
>> reason I was searching for OSSEC - figuring out a better way to secure my
>> shared webserver infrastructure.
>>
>>  Because right now, the single shared server I operate is anything but
>> secure other than a few scripts monitoring for file hash changes and having
>> password auth turned off, only relying on key-based auth, and blocking IP
>> addresses that repeatedly try to brute force the machine (I also manage
>> dedicated servers which is obviously much more preferable, security-wise).
>>
>>  I really need a way to separate permissions and visibility from 1
>> user's directory to another's (user X shouldn't be able to see user Y's
>> stuff when they login via sFTP). Even though I have my user's stuff
>> separated in different directories, any user - if they wanted to and knew
>> how, could navigate *up* the directory tree and then over into another
>> user's folder.
>>
>>  Permissions are set so that they can't actually edit the files, but
>> reading the files is bad enough... This has always been in the back of my
>> mind as an issue I need to deal with - and I hate cPanel, and refuse to use
>> it.
>>
>>  I'll take a look at the Webmin idea, as well as Apache vhosts... I
>> think I remember looking into that a year or two ago, and not getting
>> anywhere with it. I'll try another attempt.
>>
>>
>>
>> On Mon, Jun 24, 2013 at 10:50 AM, Matt Keys <mk6032 at yahoo.com> wrote:
>>
>>  Thanks for the tip on etckeeper! Tripwire / OSSEC hash files and tell
>> you if the hash has changed but they don't give you the actual change. This
>> should work much better!
>>
>> Regards,
>> Matt
>>
>>
>> On 06/23/2013 02:52 PM, Jason Brown wrote:
>>
>> I like the way virtualmin <http://www.virtualmin.com/> (A webmin addon)
>> handles this, even if I don't always use the software.  You can use it for
>> configuration, then shut it down when not needed if it's overhead is in the
>> way.
>>
>> In short, each website / apache virtual host gets it's own user, unless
>> it is a sub-server under and existing user. It's a good data segmentation
>> model.
>>
>> For web site setup operations it is also a useful learning tool, change
>> an option and see what it did in the configuration file(s). etckeeper + git
>> is your friend here.
>>
>> --Jason
>>
>>
>>
>> _______________________________________________
>> Chugalug mailing list
>> Chugalug at chugalug.org
>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>
>>
>>
>>
>>  --
>>  David White
>> Founder & CEO
>>
>>  *Develop CENTS *
>>  Computing, Equipping, Networking, Training & Supporting
>>  Nonprofit Organizations Worldwide
>> http://developcents.com
>> 423-693-4234
>>
>> _______________________________________________
>> Chugalug mailing list
>> Chugalug at chugalug.org
>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>
>>
>>
>>
>> _______________________________________________
>> Chugalug mailing listChugalug at chugalug.orghttp://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>
>>
>>
>> _______________________________________________
>> Chugalug mailing list
>> Chugalug at chugalug.org
>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>
>>
>
>
> --
> David White
> Founder & CEO
>
> *Develop CENTS *
> Computing, Equipping, Networking, Training & Supporting
> Nonprofit Organizations Worldwide
> http://developcents.com
> 423-693-4234
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>


-- 



                              Benjamin Stewart

                               <o(((><
                               ><)))o>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20140317/e5bbf388/attachment-0001.html>


More information about the Chugalug mailing list