[Chugalug] Running multi sites on one(non virt) machine

William Roush william.roush at roushtech.net
Mon Mar 17 17:35:17 UTC 2014


I really need to brush up on running a UIless Solaris box, we got a 
Nexenta system at work and I'm tempted to run with an Illumos system in 
my homelab when I get around to doing that...

William Roush
william.roush at roushtech.net
423-463-0592

http://www.roushtech.net/blog/


On 3/17/2014 11:44 AM, Alex Smith (K4RNT) wrote:
> I'd just use Solaris Zones, it creates a completely compartmentalized 
> operating system zone, so that even if someone *does* manage to 
> compromise the account through... say a buggy version of WordPress, 
> the rest of the system, and other users, would not be compromised.
>
> This feature is also available on the Illumos (nee OpenSolaris) 
> distributions, including OmniOS, SmartOS, OpenIndiana, OpenSXCE, 
> Martux, Nexenta, etc.
>
>
> " ' With the first link, the chain is forged. The first speech 
> censured, the first thought forbidden, the first freedom denied, 
> chains us all irrevocably.' Those words were uttered by Judge Aaron 
> Satie as wisdom and warning... The first time any man's freedom is 
> trodden on we're all damaged." - Jean-Luc Picard, quoting Judge Aaron 
> Satie, Star Trek: TNG episode "The Drumhead"
> - Alex Smith
> - Dulles Technology Corridor (Chantilly/Ashburn/Dulles), Virginia USA
>
>
> On Mon, Mar 17, 2014 at 11:31 AM, Benjamin Stewart 
> <stewartbenjamin at gmail.com <mailto:stewartbenjamin at gmail.com>> wrote:
>
>     >From my experience, anyway, you basically have to create an
>     entire mini-Linux system in the chroot in order to provide the
>     functionality for users to be able to login (SSH binaries and
>     their dependencies, etc....).
>
>     One technique I've heard of (but haven't tried) is to create one
>     "mini-Linux" master directory, and then link to it for each jail.
>     That way there's only one place to update.
>
>
>     On Mon, Mar 17, 2014 at 10:43 AM, David White <dwrudy at gmail.com
>     <mailto:dwrudy at gmail.com>> wrote:
>
>         I've also always had issues with chroot, mainly because the
>         chroot leads to a major headache in keeping system files
>         up-to-date. From my experience, anyway, you basically have to
>         create an entire mini-Linux system in the chroot in order to
>         provide the functionality for users to be able to login (SSH
>         binaries and their dependencies, etc....).
>
>         chroot 700 isn't a bad idea, except that both Apache and the
>         User needs to be able to read the files. Maybe I could play
>         around with groups and group memberships, though.... that's
>         not a bad idea.
>
>
>         On Mon, Mar 17, 2014 at 10:26 AM, William Roush
>         <william.roush at roushtech.net
>         <mailto:william.roush at roushtech.net>> wrote:
>
>             I've always had some problems with chroot and it's
>             (understandable) permission limitations...
>
>             Mainly with a deploy which a user can edit their chrooted
>             folder, and not sub folders of the chroot, leads to
>             headaches because I have to support changes in workflow to
>             handle that.
>
>             William Roush
>             william.roush at roushtech.net  <mailto:william.roush at roushtech.net>
>             423-463-0592  <tel:423-463-0592>
>
>             http://www.roushtech.net/blog/
>
>
>             On 3/17/2014 10:21 AM, Ed King wrote:
>>             give each sftp user their own chroot folder
>>
>>
>>             ------------------------------------------------------------------------
>>             *From:* David White <dwrudy at gmail.com>
>>             <mailto:dwrudy at gmail.com>
>>             *To:* Chattanooga Unix Gnu Android Linux Users Group
>>             <chugalug at chugalug.org> <mailto:chugalug at chugalug.org>
>>             *Sent:* Monday, March 17, 2014 9:55 AM
>>             *Subject:* Re: [Chugalug] Running multi sites on one(non
>>             virt) machine
>>
>>             I'm digging up an old thread. Originally, I searched my
>>             Chugalug archives for OSSEC, but this email thread
>>             (ironically) brings up the real reason I was searching
>>             for OSSEC - figuring out a better way to secure my shared
>>             webserver infrastructure.
>>
>>             Because right now, the single shared server I operate is
>>             anything but secure other than a few scripts monitoring
>>             for file hash changes and having password auth turned
>>             off, only relying on key-based auth, and blocking IP
>>             addresses that repeatedly try to brute force the machine
>>             (I also manage dedicated servers which is obviously much
>>             more preferable, security-wise).
>>
>>             I really need a way to separate permissions and
>>             visibility from 1 user's directory to another's (user X
>>             shouldn't be able to see user Y's stuff when they login
>>             via sFTP). Even though I have my user's stuff separated
>>             in different directories, any user - if they wanted to
>>             and knew how, could navigate _up_ the directory tree and
>>             then over into another user's folder.
>>
>>             Permissions are set so that they can't actually edit the
>>             files, but reading the files is bad enough... This has
>>             always been in the back of my mind as an issue I need to
>>             deal with - and I hate cPanel, and refuse to use it.
>>
>>             I'll take a look at the Webmin idea, as well as Apache
>>             vhosts... I think I remember looking into that a year or
>>             two ago, and not getting anywhere with it. I'll try
>>             another attempt.
>>
>>
>>
>>             On Mon, Jun 24, 2013 at 10:50 AM, Matt Keys
>>             <mk6032 at yahoo.com <mailto:mk6032 at yahoo.com>> wrote:
>>
>>                 Thanks for the tip on etckeeper! Tripwire / OSSEC
>>                 hash files and tell you if the hash has changed but
>>                 they don't give you the actual change. This should
>>                 work much better!
>>
>>                 Regards,
>>                 Matt
>>
>>
>>                 On 06/23/2013 02:52 PM, Jason Brown wrote:
>>>                 I like the way virtualmin
>>>                 <http://www.virtualmin.com/> (A webmin addon)
>>>                 handles this, even if I don't always use the
>>>                 software.  You can use it for configuration, then
>>>                 shut it down when not needed if it's overhead is in
>>>                 the way.
>>>
>>>                 In short, each website / apache virtual host gets
>>>                 it's own user, unless it is a sub-server under and
>>>                 existing user. It's a good data segmentation model.
>>>
>>>                 For web site setup operations it is also a useful
>>>                 learning tool, change an option and see what it did
>>>                 in the configuration file(s). etckeeper + git is
>>>                 your friend here.
>>>
>>>                 --Jason
>>>
>>
>>
>>                 _______________________________________________
>>                 Chugalug mailing list
>>                 Chugalug at chugalug.org <mailto:Chugalug at chugalug.org>
>>                 http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>
>>
>>
>>
>>             -- 
>>             David White
>>             Founder & CEO
>>             *
>>             *
>>             *Develop CENTS *
>>             Computing, Equipping, Networking, Training & Supporting
>>             Nonprofit Organizations Worldwide
>>             http://developcents.com <http://developcents.com/>
>>             423-693-4234 <tel:423-693-4234>
>>
>>             _______________________________________________
>>             Chugalug mailing list
>>             Chugalug at chugalug.org <mailto:Chugalug at chugalug.org>
>>             http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>
>>
>>
>>
>>             _______________________________________________
>>             Chugalug mailing list
>>             Chugalug at chugalug.org  <mailto:Chugalug at chugalug.org>
>>             http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
>             _______________________________________________
>             Chugalug mailing list
>             Chugalug at chugalug.org <mailto:Chugalug at chugalug.org>
>             http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
>
>
>         -- 
>         David White
>         Founder & CEO
>         *
>         *
>         *Develop CENTS *
>         Computing, Equipping, Networking, Training & Supporting
>         Nonprofit Organizations Worldwide
>         http://developcents.com <http://developcents.com/>
>         423-693-4234 <tel:423-693-4234>
>
>         _______________________________________________
>         Chugalug mailing list
>         Chugalug at chugalug.org <mailto:Chugalug at chugalug.org>
>         http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
>
>
>     -- 
>
>
>
>                                   Benjamin Stewart
>
>                                    <o(((><
>                                    ><)))o>
>
>     _______________________________________________
>     Chugalug mailing list
>     Chugalug at chugalug.org <mailto:Chugalug at chugalug.org>
>     http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
>
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20140317/f92e6526/attachment-0001.html>


More information about the Chugalug mailing list