<div dir="ltr"><div class="gmail_default" style="font-family:courier new,monospace">I'd just use Solaris Zones, it creates a completely compartmentalized operating system zone, so that even if someone *does* manage to compromise the account through... say a buggy version of WordPress, the rest of the system, and other users, would not be compromised.</div>

<div class="gmail_default" style="font-family:courier new,monospace"><br></div><div class="gmail_default" style="font-family:courier new,monospace">This feature is also available on the Illumos (nee OpenSolaris) distributions, including OmniOS, SmartOS, OpenIndiana, OpenSXCE, Martux, Nexenta, etc.</div>

<div class="gmail_default" style="font-family:courier new,monospace"><br></div></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><font face="courier new, monospace">" ' With the first link, the chain is forged. The first speech censured, the first thought forbidden, the first freedom denied, chains us all irrevocably.' Those words were uttered by Judge Aaron Satie as wisdom and warning... The first time any man's freedom is trodden on we’re all damaged." - Jean-Luc Picard, quoting Judge Aaron Satie, Star Trek: TNG episode "The Drumhead"<br>

- Alex Smith<br>- Dulles Technology Corridor (Chantilly/Ashburn/Dulles), Virginia USA</font></div></div>
<br><br><div class="gmail_quote">On Mon, Mar 17, 2014 at 11:31 AM, Benjamin Stewart <span dir="ltr"><<a href="mailto:stewartbenjamin@gmail.com" target="_blank">stewartbenjamin@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div dir="ltr"><div class="">>From my experience, anyway, you basically have to create an entire 
mini-Linux system in the chroot in order to provide the functionality 
for users to be able to login (SSH binaries and their dependencies, 
etc....).<br><br></div>One technique I've heard of (but haven't tried) is to create one "mini-Linux" master directory, and then link to it for each jail. That way there's only one place to update. <br>

</div>
<div class="gmail_extra"><div><div class="h5"><br><br><div class="gmail_quote">On Mon, Mar 17, 2014 at 10:43 AM, David White <span dir="ltr"><<a href="mailto:dwrudy@gmail.com" target="_blank">dwrudy@gmail.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I've also always had issues with chroot, mainly because the chroot leads to a major headache in keeping system files up-to-date. >From my experience, anyway, you basically have to create an entire mini-Linux system in the chroot in order to provide the functionality for users to be able to login (SSH binaries and their dependencies, etc....).<div>



<br></div><div>chroot 700 isn't a bad idea, except that both Apache and the User needs to be able to read the files. Maybe I could play around with groups and group memberships, though.... that's not a bad idea.</div>



</div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Mar 17, 2014 at 10:26 AM, William Roush <span dir="ltr"><<a href="mailto:william.roush@roushtech.net" target="_blank">william.roush@roushtech.net</a>></span> wrote:<br>



<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div>I've always had some problems with
      chroot and it's (understandable) permission limitations...<br>
      <br>
      Mainly with a deploy which a user can edit their chrooted folder,
      and not sub folders of the chroot, leads to headaches because I
      have to support changes in workflow to handle that.<br>
      <pre cols="72">William Roush
<a href="mailto:william.roush@roushtech.net" target="_blank">william.roush@roushtech.net</a>
<a href="tel:423-463-0592" value="+14234630592" target="_blank">423-463-0592</a>

<a href="http://www.roushtech.net/blog/" target="_blank">http://www.roushtech.net/blog/</a>


</pre><div><div>
      On 3/17/2014 10:21 AM, Ed King wrote:<br>
    </div></div></div><div><div>
    <blockquote type="cite">
      <div style="font-size:10pt;font-family:times new roman,new york,times,serif">give each sftp
        user their own chroot folder<br>
        <div><span><br>
          </span></div>
        <div><br>
        </div>
        <div style="font-family:times new roman,new york,times,serif;font-size:10pt">
          <div style="font-family:times new roman,new york,times,serif;font-size:12pt">
            <div dir="ltr">
              <hr size="1"> <font face="Arial"> <b><span style="font-weight:bold">From:</span></b> David
                White <a href="mailto:dwrudy@gmail.com" target="_blank"><dwrudy@gmail.com></a><br>
                <b><span style="font-weight:bold">To:</span></b>
                Chattanooga Unix Gnu Android Linux Users Group
                <a href="mailto:chugalug@chugalug.org" target="_blank"><chugalug@chugalug.org></a> <br>
                <b><span style="font-weight:bold">Sent:</span></b>
                Monday, March 17, 2014 9:55 AM<br>
                <b><span style="font-weight:bold">Subject:</span></b>
                Re: [Chugalug] Running multi sites on one(non virt)
                machine<br>
              </font> </div>
            <div><br>
              <div>
                <div dir="ltr">I'm digging up an old thread. Originally,
                  I searched my Chugalug archives for OSSEC, but this
                  email thread (ironically) brings up the real reason I
                  was searching for OSSEC - figuring out a better way to
                  secure my shared webserver infrastructure. 
                  <div>
                    <br>
                  </div>
                  <div>Because right now, the single shared server I
                    operate is anything but secure other than a few
                    scripts monitoring for file hash changes and having
                    password auth turned off, only relying on key-based
                    auth, and blocking IP addresses that repeatedly try
                    to brute force the machine (I also manage dedicated
                    servers which is obviously much more preferable,
                    security-wise).
                    <div>
                      <br>
                    </div>
                    <div>I really need a way to separate permissions and
                      visibility from 1 user's directory to another's
                      (user X shouldn't be able to see user Y's stuff
                      when they login via sFTP). Even though I have my
                      user's stuff separated in different directories,
                      any user - if they wanted to and knew how, could
                      navigate <u>up</u> the directory tree and then
                      over into another user's folder. </div>
                    <div><br>
                    </div>
                    <div>Permissions are set so that they can't actually
                      edit the files, but reading the files is bad
                      enough... This has always been in the back of my
                      mind as an issue I need to deal with - and I hate
                      cPanel, and refuse to use it.</div>
                    <div><br>
                    </div>
                    <div>I'll take a look at the Webmin idea, as well as
                      Apache vhosts... I think I remember looking into
                      that a year or two ago, and not getting anywhere
                      with it. I'll try another attempt.</div>
                    <div><br>
                    </div>
                  </div>
                </div>
                <div><br>
                  <br>
                  <div>On Mon, Jun 24,
                    2013 at 10:50 AM, Matt Keys <span dir="ltr"><<a rel="nofollow" href="mailto:mk6032@yahoo.com" target="_blank">mk6032@yahoo.com</a>></span>
                    wrote:<br>
                    <blockquote style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div>
                        <div>Thanks for the tip on etckeeper! Tripwire /
                          OSSEC hash files and tell you if the hash has
                          changed but they don't give you the actual
                          change. This should work much better!<br>
                          <br>
                          Regards,<br>
                          Matt
                          <div><br>
                            <br>
                            On 06/23/2013 02:52 PM, Jason Brown wrote:<br>
                          </div>
                        </div>
                        <div>
                          <blockquote type="cite">
                            <div>I like the way <a rel="nofollow" href="http://www.virtualmin.com/" target="_blank">virtualmin</a>
                              (A webmin addon) handles this, even if I
                              don't always use the software.  You can
                              use it for configuration, then shut it
                              down when not needed if it's overhead is
                              in the way.<br>
                              <br>
                              In short, each website / apache virtual
                              host gets it's own user, unless it is a
                              sub-server under and existing user. It's a
                              good data segmentation model.<br>
                              <br>
                              For web site setup operations it is also a
                              useful learning tool, change an option and
                              see what it did in the configuration
                              file(s). etckeeper + git is your friend
                              here.<br>
                              <br>
                              --Jason<br>
                              <br>
                            </div>
                          </blockquote>
                          <br>
                        </div>
                      </div>
                      <br>
                      _______________________________________________<br>
                      Chugalug mailing list<br>
                      <a rel="nofollow" href="mailto:Chugalug@chugalug.org" target="_blank">Chugalug@chugalug.org</a><br>
                      <a rel="nofollow" href="http://chugalug.org/cgi-bin/mailman/listinfo/chugalug" target="_blank">http://chugalug.org/cgi-bin/mailman/listinfo/chugalug</a><br>
                      <br>
                    </blockquote>
                  </div>
                  <br>
                  <br clear="all">
                  <div><br>
                  </div>
                  -- <br>
                  <div dir="ltr">
                    <div>
                      <div style="font-family:arial;font-size:small">David
                        White</div>
                      <div style="font-family:arial;font-size:small">Founder
                        & CEO<br>
                      </div>
                      <div style="font-family:arial;font-size:small"><b><br>
                        </b></div>
                      <div style="font-family:arial;font-size:small">
                        <div><b>Develop CENTS </b><br>
                        </div>
                        <div>Computing, Equipping, Networking, Training
                          & Supporting </div>
                        <div>
                          Nonprofit Organizations Worldwide</div>
                        <div><a rel="nofollow" href="http://developcents.com/" style="color:rgb(17,85,204)" target="_blank">http://developcents.com</a></div>
                        <div><a href="tel:423-693-4234" value="+14236934234" target="_blank">423-693-4234</a></div>
                      </div>
                    </div>
                    <div style="line-height:130%;text-align:left;font-size:10px;overflow:hidden;margin-left:0px;word-wrap:break-word;margin-top:0px;padding:0px"></div>
                  </div>
                </div>
              </div>
              <br>
              _______________________________________________<br>
              Chugalug mailing list<br>
              <a href="mailto:Chugalug@chugalug.org" target="_blank">Chugalug@chugalug.org</a><br>
              <a href="http://chugalug.org/cgi-bin/mailman/listinfo/chugalug" target="_blank">http://chugalug.org/cgi-bin/mailman/listinfo/chugalug</a><br>
              <br>
              <br>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
Chugalug mailing list
<a href="mailto:Chugalug@chugalug.org" target="_blank">Chugalug@chugalug.org</a>
<a href="http://chugalug.org/cgi-bin/mailman/listinfo/chugalug" target="_blank">http://chugalug.org/cgi-bin/mailman/listinfo/chugalug</a>
</pre>
    </blockquote>
    <br>
  </div></div></div>

<br>_______________________________________________<br>
Chugalug mailing list<br>
<a href="mailto:Chugalug@chugalug.org" target="_blank">Chugalug@chugalug.org</a><br>
<a href="http://chugalug.org/cgi-bin/mailman/listinfo/chugalug" target="_blank">http://chugalug.org/cgi-bin/mailman/listinfo/chugalug</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><div><div style="font-family:arial;font-size:small">David White</div><div style="font-family:arial;font-size:small">Founder & CEO<br></div>



<div style="font-family:arial;font-size:small"><b><br></b></div><div style="font-family:arial;font-size:small"><div><b>Develop CENTS </b><br></div><div>Computing, Equipping, Networking, Training & Supporting </div><div>



Nonprofit Organizations Worldwide</div><div><a href="http://developcents.com/" style="color:rgb(17,85,204)" target="_blank">http://developcents.com</a></div><div><a href="tel:423-693-4234" value="+14236934234" target="_blank">423-693-4234</a></div>


</div></div><div style="line-height:130%;text-align:left;font-size:10px;overflow:hidden;margin-left:0px;word-wrap:break-word;margin-top:0px;padding:0px">
</div></div>
</div>
</div></div><br>_______________________________________________<br>
Chugalug mailing list<br>
<a href="mailto:Chugalug@chugalug.org" target="_blank">Chugalug@chugalug.org</a><br>
<a href="http://chugalug.org/cgi-bin/mailman/listinfo/chugalug" target="_blank">http://chugalug.org/cgi-bin/mailman/listinfo/chugalug</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><br><br><br></div></div>                              Benjamin Stewart<br><br>                               <o(((><<br>                               ><)))o>
</div>
<br>_______________________________________________<br>
Chugalug mailing list<br>
<a href="mailto:Chugalug@chugalug.org">Chugalug@chugalug.org</a><br>
<a href="http://chugalug.org/cgi-bin/mailman/listinfo/chugalug" target="_blank">http://chugalug.org/cgi-bin/mailman/listinfo/chugalug</a><br>
<br></blockquote></div><br></div>