View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Permissions best practice: semi-shared hosting
Log in to Ask a Question

Permissions best practice: semi-shared hosting

development

Hi,

Learning rookie here.

I've got LAMP running nicely, with virtual hosts located at:

/srv/www//public_html

At the moment, www-data is the owner and group for everything here. I've offered to host some websites for an unemployed friend on my Linode. What would be the best practice for permissions, so that my friend only has access to his HTML and files.

As it's probably a one-off, I thought about creating a shell account for him, and storing his HTML within his home directory, with obvious permissions. But, this breaks my nice /srv/www/domain structure.

If I kept his HTML in /srv/www what would the permissions look like, to allow him access to only his files. Perhaps with a symlink from his shell account? Is there a "best practice" way for this?

Thanks, Richard.

7 Replies

I'd give him a jailed sftp account and let him stick his files in his home directory and link the virtual host to there, it's easier.

OK, looked for some instructions for jailed sftp, and there's many inconsistent recipies around for chroot. Tried some without success.

Bear in mind that I'm a learning rookie, can you point me to a working config for Debian 5?

I believe debian's ssh server is recent enough for this technique which is dead easy.

First edit /etc/ssh/sshd_config with the following values

Subsystem sftp internal-sftp

Match Group sftponly
    ChrootDirectory /home/%u
    ForceCommand internal-sftp
    AllowTcpForwarding no

You should put them at the bottom.

Now add him a user as normal, setting the shell to /bin/false and adding them to the sftponly group.

Next chown root:root /home/[username] and chmod 0755 /home/[username]

Restart ssh and you're done.

The only caveat is that the user won't be able to write to /home/[username] I suggest adding a public_html folder and let them write to that.

Ok, that is simple. I'm guessing I've seen older instructions when things weren't quite so easy.

I'll try this later.

Thanks very much for your help.

Richard

Worked perfectly. Thanks.

Now to work out Chroot'ing SSH shells… 8)

chrooting the shell is a bit more difficult since they will need access to basic binaries (ls,cd etc), I think you need to ask your self do you really need to chroot them?

No, I don't need to chroot the shell for this particular user.

However, I'm trying to become a competent Linux sysadmin, and this is something that would be good to know how to do.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct