security

[Matthew J. Roth]

roland wrote:
> 
> Someone who will install a website on the server. So I thought to give
> him a login and config apache to read the dir in his home dir.
> He has to upload the files for this site. So I won't him to see only his
> home dir.
> 
> So actually he will not run something, just install.


Roland,

It sounds like sftp chroot() would satisfy your needs.  It would allow the user to manage content in his home directory and make it appear as the root of the filesystem.  In your sshd configuration, specifying "ForceCommand internal-sftp" inside a Match block for the user would force the use of an in-process sftp server, and prevent him from actually logging into a shell via ssh.  For added security, you can also set the user's shell to "/sbin/nologin".

I've done this on CentOS and it was a bit of a hassle, because the version of OpenSSH it provides doesn't include all of the required configuration options.  However, it looks like Fedora's version is recent enough to make it pretty straightforward.

Here are a couple of references that got me through this project:

 OpenSSH SFTP chroot() with ChrootDirectory <http://www.debian-administration.org/article/OpenSSH_SFTP_chroot_with_ChrootDirectory>

 Packaging OpenSSH on CentOS <http://binblog.info/2009/02/27/packaging-openssh-on-centos/>

Regards,

Matthew Roth
InterMedia Marketing Solutions
Software Engineer and Systems Developer