[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: httpd chroot + nullfs
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: httpd chroot + nullfs
- From: "L. V. Lammert" <lvl_(_at_)_omnitec_(_dot_)_net>
- Date: Thu, 31 Mar 2005 20:15:21 -0600 (CST)
On Thu, 31 Mar 2005, Aaron Suen wrote:
> On Thu, Mar 31, 2005 at 02:37:17PM -0700, Bob Beck wrote:
> > * Matthew Weigel <unique_(_at_)_idempot_(_dot_)_net> [2005-03-31 14:26]:
> > > Aaron Suen wrote:
> > > >
> > > >Basically, mount_null et. al. is toast, so I'm sort of in trouble
> > > >running my web server. Basically, I'm trying to run an apache server
> > > >in a chroot environment with minimal access to user files (mounting
> > > >/home/$USER/www into /var/www/users/$USER, keeping most of user's home
> > > >inaccessible), and users access their files via a chrooted pure-ftpd.
> > > >Thus, symlinks won't work, in either direction.
> > >
If the users are doing web site access, why not put just the home
directories *inside* the chroot?
We normally do it that way, with the users having ftp access via chroot,
producing a clean, fairly secure config (especially with the ftp
chroot'd, that way they can't get OUT of their home directories).
The less-than-secure ftp access is more than offset by the chroot'd file
system security; in any case, the users are only moving html & web files,
so there's no need, really, for better security a la ssh.
With ftp access to a chroot'd file system accessible by web, there's also
much less need for shell access anyway.
Leland V. Lammert lvl_(_at_)_omnitec_(_dot_)_net
Chief Scientist Omnitec Corporation
Network/Internet Consultants www.omnitec.net