Re: httpd chroot + nullfs

["L. V. Lammert" <lvl_(_at_)_omnitec_(_dot_)_net>]

On Thu, 31 Mar 2005, Aaron Suen wrote:

> On Thu, Mar 31, 2005 at 02:37:17PM -0700, Bob Beck wrote:
> > * Matthew Weigel <unique_(_at_)_idempot_(_dot_)_net> [2005-03-31 14:26]:
> > > Aaron Suen wrote:
> > > >
> > > >Basically, mount_null et. al. is toast, so I'm sort of in trouble
> > > >running my web server.  Basically, I'm trying to run an apache server
> > > >in a chroot environment with minimal access to user files (mounting
> > > >/home/$USER/www into /var/www/users/$USER, keeping most of user's home
> > > >inaccessible), and users access their files via a chrooted pure-ftpd.
> > > >Thus, symlinks won't work, in either direction.
> > >

Aaron,

If the users are doing web site access, why not put just the home
directories *inside* the chroot?

We normally do it that way, with the users having ftp access via chroot,
producing a clean, fairly secure config (especially with the ftp
chroot'd, that way they can't get OUT of their home directories).

The less-than-secure ftp access is more than offset by the chroot'd file
system security; in any case, the users are only moving html & web files,
so there's no need, really, for better security a la ssh.

With ftp access to a chroot'd file system accessible by web, there's also
much less need for shell access anyway.

	Lee

================================================
  Leland V. Lammert            lvl_(_at_)_omnitec_(_dot_)_net
    Chief Scientist     Omnitec Corporation
 Network/Internet Consultants   www.omnitec.net
================================================