security
Bill Davidsen
davidsen at tmr.com
Fri Aug 13 16:21:42 UTC 2010
roland wrote:
> On Thu, 12 Aug 2010 15:31:04 +0200, Tim <ignored_mailbox at yahoo.com.au>
> wrote:
>
>> On Thu, 2010-08-12 at 14:40 +0200, roland wrote:
>>> I would like to give someone a login on my server.
>>> But, I would like to limit access to his home dir.
>>>
>>> With Nautilus, Konqueror or from distance with p.e. Winscp, this
>>> person could see what he wants and do maybe the unexpected.
>> Unless you get slack with permissions, they can't read files owned by
>> someone else unless those files have read permission for "other" users.
>> Likewise, regarding writing to them. No ordinary user can change system
>> or application files, only their own files.
>>
>> And, as far as restricting them, that may depend on what you mean by
>> logon to your system. You're sharing out a drive, directories, or
>> actually allowing a direct logon where they can run things.
>>
> Someone who will install a website on the server. So I thought to give him
> a login and config apache to read the dir in his home dir.
> He has to upload the files for this site. So I won't him to see only his
> home dir.
>
> So actually he will not run something, just install.
>
Complex solutions (require building an environment):
- chroot setup
- virtual machine
Other solutions:
- sftp
- rsync (possibly with relative option)
Note that ssh should be used, with a private key and entry in authorized_keys.
This has two benefits, one being that he doesn't have (or need) the password,
and the authorized_keys file can restrict him to executing one and only one
command or sequence of commands. This eliminates the need for an interactive
login, always nice.
I would think about letting him provide CGI, that kind of bypasses all the
protections unless you run him full time in a VM. Just my thought on it.
--
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
More information about the users
mailing list