Re: security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



roland wrote:
> On Thu, 12 Aug 2010 15:31:04 +0200, Tim <ignored_mailbox@xxxxxxxxxxxx>  
> wrote:
> 
>> On Thu, 2010-08-12 at 14:40 +0200, roland wrote:
>>> I would like to give someone a login on my server.
>>> But, I would like to limit access to his home dir.
>>>
>>> With Nautilus, Konqueror or from distance with p.e. Winscp, this
>>> person could see what he wants and do maybe the unexpected.
>> Unless you get slack with permissions, they can't read files owned by
>> someone else unless those files have read permission for "other" users.
>> Likewise, regarding writing to them.  No ordinary user can change system
>> or application files, only their own files.
>>
>> And, as far as restricting them, that may depend on what you mean by
>> logon to your system.  You're sharing out a drive, directories, or
>> actually allowing a direct logon where they can run things.
>>
> Someone who will install a website on the server. So I thought to give him  
> a login and config apache to read the dir in his home dir.
> He has to upload the files for this site. So I won't him to see only his  
> home dir.
> 
> So actually he will not run something, just install.
> 
Complex solutions (require building an environment):
- chroot setup
- virtual machine
Other solutions:
- sftp
- rsync (possibly with relative option)

Note that ssh should be used, with a private key and entry in authorized_keys. 
This has two benefits, one being that he doesn't have (or need) the password, 
and the authorized_keys file can restrict him to executing one and only one 
command or sequence of commands. This eliminates the need for an interactive 
login, always nice.

I would think about letting him provide CGI, that kind of bypasses all the 
protections unless you run him full time in a VM. Just my thought on it.

-- 
Bill Davidsen <davidsen@xxxxxxx>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux