[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Fwd: Re: How to give users ftp access to their sites safely


----------  Forwarded Message  ----------

Subject: Re: How to give users ftp access to their sites safely
Date: Friday 23 September 2005 13:37
From: Dan MacNeil <dan@thecsl.org>
To: mimo <mimo@restoel.net>

Hi mimo

You might reply to the list as I'm sure your info is of general interest.

You might also reply to Rod instead of me :->


mimo wrote:
> Hi Rod
> there is two ways I could think of but not sure if either of them is of any
> use for you:
> 1) use /home/$USER/public_html as web root -- this is well supported by
> apache
> 2) separate login methods for web site and users. use ftp for /home/http (I
> would suggest using the default debian /var/www unless there are good
> reasons not to do so) and sftp/ssh for /home accesses
> Hope this helps
> mimo
> On Friday 23 September 2005 12:56, Dan M. MacNeil wrote:
>>reply below
>>R. W. Rodolico wrote:
>>>I have all user directories under /home/users. All web sites are
>>>under /home/http/. I use the chroot function in proftp to ensure
>>>that anyone ftp'ing in to the machine only has access to their
>>>personal directory.
>>>The problem is that some users need ftp access to their web sites
>>>also. Symbolic links don't work because the link refers to something
>>>outside the chroot root. So, I did a mount --bind for each user to
>>>the web site they needed to access. This results in about 30 mounted
>>>directories, problems on backup, and funky displays when I try to
>>>issue the df command to see how much space I have. I can work around
>>>all of these, but . . .
>>We're exploring similar issues.
>>Another problem with mount --bind is that you are limited to 200 or so
>>mounts per volume.
>>One thing we're considering is libpam-mount
>>Another is hard links
>> From our painful experience /home/http may not be a good way to go if
>>you ever decide to use suexec.
>>We have /home/sites and have to re-compile suxec to use a document root
>>different than /var/www every time there is a security patch for apache.
>>>I'm sure there is a much better way. I don't mind changing the
>>>directory structure around if I need to.
>>>Any and all suggestions would be greatly appreciated.


Reply to: