Hi,

Learning rookie here.

I've got LAMP running nicely, with virtual hosts located at:

/srv/www/<domain>/public_html

At the moment, www-data is the owner and group for everything here. I've offered to host some websites for an unemployed friend on my Linode. What would be the best practice for permissions, so that my friend only has access to his HTML and files.

As it's probably a one-off, I thought about creating a shell account for him, and storing his HTML within his home directory, with obvious permissions. But, this breaks my nice /srv/www/domain structure.

If I kept his HTML in /srv/www what would the permissions look like, to allow him access to only his files. Perhaps with a symlink from his shell account? Is there a "best practice" way for this?

Thanks, Richard.

I'd give him a jailed sftp account and let him stick his files in his home directory and link the virtual host to there, it's easier.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

OK, looked for some instructions for jailed sftp, and there's many inconsistent recipies around for chroot. Tried some without success.

Bear in mind that I'm a learning rookie, can you point me to a working config for Debian 5?

I believe debian's ssh server is recent enough for this technique which is dead easy.

First edit /etc/ssh/sshd_config with the following values

Subsystem sftp internal-sftp

Match Group sftponly
   ChrootDirectory /home/%u
   ForceCommand internal-sftp
   AllowTcpForwarding no

You should put them at the bottom.

Now add him a user as normal, setting the shell to /bin/false and adding them to the sftponly group.

Next chown root:root /home/[username] and chmod 0755 /home/[username]

Restart ssh and you're done.

The only caveat is that the user won't be able to write to /home/[username] I suggest adding a public_html folder and let them write to that.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

Ok, that is simple. I'm guessing I've seen older instructions when things weren't quite so easy.

I'll try this later.

Thanks very much for your help.

Richard

Worked perfectly. Thanks.

Now to work out Chroot'ing SSH shells...

chrooting the shell is a bit more difficult since they will need access to basic binaries (ls,cd etc), I think you need to ask your self do you really need to chroot them?

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

No, I don't need to chroot the shell for this particular user.

However, I'm trying to become a competent Linux sysadmin, and this is something that would be good to know how to do.