I have built a few Virtual Hosts using nginx but now I want to have some users to modify them without them being able to edit anything else outside the host directory.
I have tried so many things but nothing is working!! This is where I am at, at the moment:
/etc/vsftpd.conf:
listen=YES
local_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
idle_session_timeout=600
data_connection_timeout=120
tpd_banner=Welcome to mikes company sFTP service. Play nice!
chroot_local_user=YES
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd.chroot_list
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
shell script to create a user:
#!/bin/bash
user=$1
group=$2
directory=$3
if [ "$3" != "" ]; then
echo "You are creating an ftp user -> "$user" inside the group -> "$group" with privelidges for the domain "$directory
else
echo "ERROR!!!"
echo "please enter the command followed by the user and then group and then domain (example.co.uk)"
exit 1
fi
groupadd $group
useradd -G $group $user
sudo chown -vR :$group /NAS/$directory/
sudo chmod -vR g+w /NAS/$directory/
sudo adduser www-data $group
sudo chown -R www-data:$group /NAS/$directory/
usermod --home /NAS/$directory/ $user
passwd $user
But non of this is working. When I setup the user on dreamweaver they can read, access and edit most files on the whole computer which is not what I want!
What am I doing wrong?
/etc/group:
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,max
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:max
floppy:x:25:
tape:x:26:
sudo:x:27:max
audio:x:29:pulse
dip:x:30:max
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:max
sasl:x:45:
plugdev:x:46:max
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
netdev:x:102:
crontab:x:103:
syslog:x:104:
fuse:x:105:
messagebus:x:106:
ssl-cert:x:107:
lpadmin:x:108:max
scanner:x:109:saned
mlocate:x:110:
ssh:x:111:
utempter:x:112:
avahi-autoipd:x:113:
rtkit:x:114:
saned:x:115:
whoopsie:x:116:
avahi:x:117:
nopasswdlogin:x:119:
bluetooth:x:120:
colord:x:121:
pulse:x:122:
pulse-access:x:123:
max:x:1000:
sambashare:x:124:max
landscape:x:118:
maxy:x:1001:maxWeb,www-data
maxWeb:x:1002:
maxy2:x:1003:maxWeb2
maxWeb2:x:1004:
fax:x:21:
voice:x:22:
cdrom:x:24:max
floppy:x:25:
tape:x:26:
sudo:x:27:max
audio:x:29:pulse
dip:x:30:max
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:max
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
netdev:x:102:
crontab:x:103:
syslog:x:104:
fuse:x:105:
messagebus:x:106:
ssl-cert:x:107:
lpadmin:x:108:max
scanner:x:109:saned
mlocate:x:110:
ssh:x:111:
mlocate:x:110:
ssh:x:111:
utempter:x:112:
avahi-autoipd:x:113:
rtkit:x:114:
saned:x:115:
whoopsie:x:116:
avahi:x:117:
nopasswdlogin:x:119:
bluetooth:x:120:
colord:x:121:
pulse:x:122:
pulse-access:x:123:
max:x:1000:
sambashare:x:124:max
landscape:x:118:
maxy:x:1001:maxWeb,www-data
maxWeb:x:1002:
maxy2:x:1003:maxWeb2
maxWeb2:x:1004:
maxy3:x:1005:maxWeb3
maxWeb3:x:1006:
maxy4:x:1007:maxWeb4
maxWeb4:x:1008:
sftponly:x:1009:maxWeb7
ssh-users:x:1010:max
maxWeb7:x:1011:
maxWebb:x:1012:
sftp:x:1013:
ftpGroup:x:1014:maxwebb2,maxy1
maxwebb2:x:1015:
maxy1:x:1016:
ftp:x:125:
maximiliangroup:x:1017:maxymil
maxymil:x:1018:
maximiliangroup:x:1017:maxymil
maxymil:x:1018:
maximilianmitchell.info:x:1019:maxwebsite,www-data
maxwebsite:x:1020:
maximilianweb:x:1021:www-data
maximilianweb2:x:1022:www-data
maximilianweb4:x:1023:www-data,maxwebsite4
maxwebsite5:x:1024:www-data
Logging in as new user:
$ su - maxwebsite5
Password:
$ ls
public_html
$ cd /home
$ cd max
$ mkdir test
mkdir: cannot create directory ‘test’: Permission denied
When I log in using dreamweaver and set the root directory as / I can see and edit most things including other virtual hosts directories:
Where as when I set the root directory as nothing it takes me straight to the /NAS/$directory/ which is kind of what I want!
But I really just want the user to think that their / directory is /NAS/$directory/
答案1
Try to use
useradd -g $group $user
or
useradd -N -g $group $user
instead of
useradd -G $group $user
Here's why: from Ubuntu.com: Ubuntu Manpage: useradd - create a new user or update default new user information :
-g, --gid GROUP The group name or number of the user's initial login group. The group name must exist. A group number must refer to an already existing group.
If not specified, the behavior of useradd will depend on the USERGROUPS_ENAB variable in /etc/login.defs. If this variable is set to yes (or -U/--user-group is specified on the command line), a group will be created for the user, with the same name as her loginname. If the variable is set to no (or -N/--no-user-group is specified on the command line), useradd will set the primary group of the new user to the value specified by the GROUP variable in /etc/default/useradd, or 100 by default.
-N, --no-user-group Do not create a group with the same name as the user, but add the user to the group specified by the -g option or by the GROUP variable in /etc/default/useradd.
The default behavior (if the -g, -N, and -U options are not specified) is defined by the USERGROUPS_ENAB variable in /etc/login.defs.
I believe that what happens is that any user created actually ends up belonging to two different groups, the default one created by omitting -g (which perhaps has read/write permissions on multiple directories) and the one specified by useradd -G $group $user
答案2
Right I have spent 3 or 4 days trying to sort this out. Here is a shell script for a user:
#!/bin/bash
user=$1
directory=$2
if [ "$2" != "" ]; then
echo "You are creating an ftp user -> "$user" with privelidges for the domain "$directory
else
echo "ERROR!!!"
echo "please enter the command followed by the user and then domain (example.co.uk)"
exit 1
fi
sudo useradd -d /NAS/$directory -m $user -s /usr/bin/rssh
passwd $user
echo "added user"
sudo chgrp -R www-data /NAS/$directory
echo $user >> /etc/ftpusers
echo "prevented ftp access for user"
echo -e "
Match user $user
ChrootDirectory /NAS/$directory
ForceCommand internal-sftp
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
" >> /etc/ssh/sshd_config
echo "edited /etc/ssh/sshd_config"
sudo service ssh restart
You also have to download the package rssh and edit the /etc/rssh.conf and uncomment the line allowsftp
答案3
If i understand the question correctly you need to use local_root
local_root=/NAS/$USER/
and you will also need
allow_writeable_chroot=YES
if you wish the user to be able to write to their root folder
or if you wish to have more control you will probably was to use virtual users and user config files.
if so then try the following
How to setup virtual users for vsftpd with access to a specific sub directory?