Page 1 of 1

Jailing users with apache and mysql access

Posted: Fri Dec 05, 2008 6:59 am
by shiznatix
So this is kinda strange to me. I have searched and tried many a things but to no avail. I am on a debian system and we are outsourcing a small project and they need the webspace to create the project so I am trying to get that setup for them.

My problem of course is I don't want them snooping around my code because they can get info such as passwords and whatnot if they look hard enough. What I have been doing so far for our trusted people is just create a new user, put their web-root in their home folder and throw their subdomain to that webroot. This works great but of course these users can view the other users files no problemo.

First thought was to jail the users, perfect idea yes!? arg, no. I don't want to recompile everything and all that jazzy stuff because im not a guru...yet... but I did find an awesome script that seamed to do everything at first: http://www.fuschlberger.net/programs/ss ... root-jail/
This was awesome and did what I wanted but with the downfall that apache can not read its directories, I get a 403 Forbidden at all times, even if I do something like "chmod 777 /home/jail" I get the same error.

So now I am stuck with 2 things I don't know how to do and can't find info on:
1 would be to just find a way to get apache/php to read this chrooted directory and that would be that, problem solved.

The other idea would be to setup the new user with basically no permissions to read anything outside of what is his home folder. I wouldn't want this user to be able to ls in any folder that he does not own and even if he does happen to know the exact location of a file, he shouldn't be able to open it (like if the permissions on all files except his would be 711) but I can't figure out how to do this.

So, can any of you fine people help me out?

edit: and yes, with the make_chroot_jail script I did uncomment the lines regarding "if apache can't read..." and still the same affect.

Re: Jailing users with apache and mysql access

Posted: Fri Dec 05, 2008 7:57 am
by VladSun
If you don't want them to use SSH, but SCP only:
http://sublimation.org/scponly/wiki/ind ... 9_with_apt

Re: Jailing users with apache and mysql access

Posted: Mon Dec 08, 2008 2:32 am
by shiznatix
thanks but once that gave me errors asking me to recompile the damn thing I gave up and just switched to regular FTP.

How can something so old work so much better than new stuff. I mean seriously, why can't sftp chroot a user as easily as ftp does? Took me 10 minutes to setup and configure my ftp server for this dude but 2 days of banging my head got me nowhere with ssh / sftp. Stupid if you ask me.

Re: Jailing users with apache and mysql access

Posted: Mon Dec 08, 2008 5:14 am
by VladSun
I had no problems atp-get installing it on Debian 4.0 etch - no recompile needed. I followed the instructions I gave you and it worked without any problems - users had no SSH shell and were locked in their home directory ;)