[scponly] Limiting to home directory without chroot?

[Benjamin Donnachie]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

scponly-7264 at tagged.lorens.org wrote:
> It's a web server, and the accounts are used as web sites. Apache runs
> as its own user and thus needs o+rX to read pages, but one student shouldn't
> be able to read another's PHP. Putting all files into the apache group,
> but not the users, would solve that problem, but then I have to find a
> way to make sure that files have the correct group on upload.

That's exactly what I've done on my system.  Apache also runs with the
group apache and I all the home directories are also owned by the group
apache, with the permissions set to drwx--x---; thus the user has full
access and the apache group can descend into it, but no other access is
possible.

Then the public_html file within the home directory is set the group
apache with the permissions drwxr-w--- thus allowing the group apache to
read all files in the heirachy below.

New files default to the owner and group of the user, with the
permissions -rw-rw-r-- Allowing apache to read the file, but with the
directory permissions denying access to all other users.

Due to my paranoia I've also set up a single user jail and this all
hangs off that.

> Maybe change everything and make apache run as each user, haven't
> thought about it, but it seems a much greater change than just adding
> "secure upload your files".

No need - just modify the directory group and permissions!

> Limiting scponly users to sftp only is definitely an option. So
> I should look at tweaking the sftp subsystem? It's not cd itself
> that I want to forbid, just cd above home dir. If sftp can do
> that, then perfect.

With the directory permissions that I use none of the users can access
each others files, apache works fine, scponly facilitates secure file
transfers and the jail prevents users accessing other parts of the file
system.

> Yes :-) I'd like it to work with as many windows clients as
> possible, but as it's just setting up I'm not afraid of calls
> saying "it worked with XXXXXXX before!!!!!" :-)

WinSCP works fine under Windows for me!  (Although, I do try to avoid
Windows as much as possible! :->)

Please feel free to contact me if you'd like a more through explanation.

Take care,

Ben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQIVAwUBQz2C+egNmph0Y1E2AQI7jQ//Up7OMoMSbzc+KxWqXrE5lSXTaZBoFr8g
VkHVghLcNf1/YSuRyDeVxp+xW4jhv8LAt+UT8yu/8SawByZMWxXARN6ImsCdKnTH
6Vxlr87FaHY3+Sp7MwOcFJeuQ7LLiq2MLU+nvfp6aM0ECPYVtHAcVVbklOtZhMie
ktmKHd7DyNr519DzQdkE/klQu0naaxHFRbqTlro3uncNlXviELhF5aevSDlRH8Dl
fBsiHrEX/ZXvTI5DyiJ1cggGoOWwDrHtihX7ow5e8q8SKKHmZ6cabq0rAictQpoD
RnuS6sgvg3hrOhXJOJ9sXXOumD6zcfAYrMWhmLWakC986BOau4dnrjVJjAAX2OnF
dmMj+CTA952ivgqBwxG4zDquFGRRRMRrE/q4atmgbxJdFXCbeuUN59QwTlvh+uwf
nXVQcLBIwccCnYtBKub9MFnaEhNHZ+RWSn32wvA2mWwf8NkQjtiuWwMzsA+CNmt8
VJOKFbx+yMaOvWbOr/3Y1vb6FjO9Z6e/GrVCQ0LR9PfvKVd3n8p/Eq0QKMEu+DVR
49orICzO31qo6EL0G0FtNnGZxyxdqAA2tK1TWF6+0u+qP7q4xCCC0Zg4yCuELF2b
Ji1qf0Y3VyxSWRLxzZarPNnl3/mhPZowygG9RAjkeU5pGd9GwQtM2+QVooQBQG+E
b6YshlNZsjw=
=HSZ7
-----END PGP SIGNATURE-----