[Chugalug] Running multi sites on one(non virt) machine

Alex Smith (K4RNT) shadowhunter at gmail.com
Mon Mar 17 15:44:01 UTC 2014


I'd just use Solaris Zones, it creates a completely compartmentalized
operating system zone, so that even if someone *does* manage to compromise
the account through... say a buggy version of WordPress, the rest of the
system, and other users, would not be compromised.

This feature is also available on the Illumos (nee OpenSolaris)
distributions, including OmniOS, SmartOS, OpenIndiana, OpenSXCE, Martux,
Nexenta, etc.


" ' With the first link, the chain is forged. The first speech censured,
the first thought forbidden, the first freedom denied, chains us all
irrevocably.' Those words were uttered by Judge Aaron Satie as wisdom and
warning... The first time any man's freedom is trodden on we’re all
damaged." - Jean-Luc Picard, quoting Judge Aaron Satie, Star Trek: TNG
episode "The Drumhead"
- Alex Smith
- Dulles Technology Corridor (Chantilly/Ashburn/Dulles), Virginia USA


On Mon, Mar 17, 2014 at 11:31 AM, Benjamin Stewart <
stewartbenjamin at gmail.com> wrote:

> >From my experience, anyway, you basically have to create an entire
> mini-Linux system in the chroot in order to provide the functionality for
> users to be able to login (SSH binaries and their dependencies, etc....).
>
> One technique I've heard of (but haven't tried) is to create one
> "mini-Linux" master directory, and then link to it for each jail. That way
> there's only one place to update.
>
>
> On Mon, Mar 17, 2014 at 10:43 AM, David White <dwrudy at gmail.com> wrote:
>
>> I've also always had issues with chroot, mainly because the chroot leads
>> to a major headache in keeping system files up-to-date. From my experience,
>> anyway, you basically have to create an entire mini-Linux system in the
>> chroot in order to provide the functionality for users to be able to login
>> (SSH binaries and their dependencies, etc....).
>>
>> chroot 700 isn't a bad idea, except that both Apache and the User needs
>> to be able to read the files. Maybe I could play around with groups and
>> group memberships, though.... that's not a bad idea.
>>
>>
>> On Mon, Mar 17, 2014 at 10:26 AM, William Roush <
>> william.roush at roushtech.net> wrote:
>>
>>>  I've always had some problems with chroot and it's (understandable)
>>> permission limitations...
>>>
>>> Mainly with a deploy which a user can edit their chrooted folder, and
>>> not sub folders of the chroot, leads to headaches because I have to support
>>> changes in workflow to handle that.
>>>
>>> William Roushwilliam.roush at roushtech.net423-463-0592
>>> http://www.roushtech.net/blog/
>>>
>>>  On 3/17/2014 10:21 AM, Ed King wrote:
>>>
>>> give each sftp user their own chroot folder
>>>
>>>
>>>   ------------------------------
>>>  *From:* David White <dwrudy at gmail.com> <dwrudy at gmail.com>
>>> *To:* Chattanooga Unix Gnu Android Linux Users Group
>>> <chugalug at chugalug.org> <chugalug at chugalug.org>
>>> *Sent:* Monday, March 17, 2014 9:55 AM
>>> *Subject:* Re: [Chugalug] Running multi sites on one(non virt) machine
>>>
>>>  I'm digging up an old thread. Originally, I searched my Chugalug
>>> archives for OSSEC, but this email thread (ironically) brings up the real
>>> reason I was searching for OSSEC - figuring out a better way to secure my
>>> shared webserver infrastructure.
>>>
>>>  Because right now, the single shared server I operate is anything but
>>> secure other than a few scripts monitoring for file hash changes and having
>>> password auth turned off, only relying on key-based auth, and blocking IP
>>> addresses that repeatedly try to brute force the machine (I also manage
>>> dedicated servers which is obviously much more preferable, security-wise).
>>>
>>>  I really need a way to separate permissions and visibility from 1
>>> user's directory to another's (user X shouldn't be able to see user Y's
>>> stuff when they login via sFTP). Even though I have my user's stuff
>>> separated in different directories, any user - if they wanted to and knew
>>> how, could navigate *up* the directory tree and then over into another
>>> user's folder.
>>>
>>>  Permissions are set so that they can't actually edit the files, but
>>> reading the files is bad enough... This has always been in the back of my
>>> mind as an issue I need to deal with - and I hate cPanel, and refuse to use
>>> it.
>>>
>>>  I'll take a look at the Webmin idea, as well as Apache vhosts... I
>>> think I remember looking into that a year or two ago, and not getting
>>> anywhere with it. I'll try another attempt.
>>>
>>>
>>>
>>> On Mon, Jun 24, 2013 at 10:50 AM, Matt Keys <mk6032 at yahoo.com> wrote:
>>>
>>>  Thanks for the tip on etckeeper! Tripwire / OSSEC hash files and tell
>>> you if the hash has changed but they don't give you the actual change. This
>>> should work much better!
>>>
>>> Regards,
>>> Matt
>>>
>>>
>>> On 06/23/2013 02:52 PM, Jason Brown wrote:
>>>
>>> I like the way virtualmin <http://www.virtualmin.com/> (A webmin addon)
>>> handles this, even if I don't always use the software.  You can use it for
>>> configuration, then shut it down when not needed if it's overhead is in the
>>> way.
>>>
>>> In short, each website / apache virtual host gets it's own user, unless
>>> it is a sub-server under and existing user. It's a good data segmentation
>>> model.
>>>
>>> For web site setup operations it is also a useful learning tool, change
>>> an option and see what it did in the configuration file(s). etckeeper + git
>>> is your friend here.
>>>
>>> --Jason
>>>
>>>
>>>
>>> _______________________________________________
>>> Chugalug mailing list
>>> Chugalug at chugalug.org
>>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>>
>>>
>>>
>>>
>>>  --
>>>  David White
>>> Founder & CEO
>>>
>>>  *Develop CENTS *
>>>  Computing, Equipping, Networking, Training & Supporting
>>>  Nonprofit Organizations Worldwide
>>> http://developcents.com
>>> 423-693-4234
>>>
>>> _______________________________________________
>>> Chugalug mailing list
>>> Chugalug at chugalug.org
>>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Chugalug mailing listChugalug at chugalug.orghttp://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>>
>>>
>>>
>>> _______________________________________________
>>> Chugalug mailing list
>>> Chugalug at chugalug.org
>>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>>
>>>
>>
>>
>> --
>> David White
>> Founder & CEO
>>
>> *Develop CENTS *
>> Computing, Equipping, Networking, Training & Supporting
>> Nonprofit Organizations Worldwide
>> http://developcents.com
>> 423-693-4234
>>
>> _______________________________________________
>> Chugalug mailing list
>> Chugalug at chugalug.org
>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>
>>
>
>
> --
>
>
>
>                               Benjamin Stewart
>
>                                <o(((><
>                                ><)))o>
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20140317/18a9df6b/attachment.html>


More information about the Chugalug mailing list