Apache User and Shell Security Question
I just setup a wordpress server running ubuntu. In order to get the pointy-clicky updates to work I had to setup SFTP on the server. I installed vsftpd and opened the port. After forcing encryption I enabled local accounts access to the SFTP server. Since apache serves wordpress I needed to give www-data access to the SFTP server. I set the www-data password, and added /usr/sbin/nologin to the file /etc/shells.
This method works but I am concerned about security: 1) Setting the password on a system account seems like a bad idea. I have SSH locked down via AllowUsers, but I don't know enough to be certain that this didn't open a hole internally. Is this generally a bad idea and is there an alternative approach? 2) I understand that /etc/shells is just a list of users' shells that vsftpd will accept, but I have never come across the nologin shell before. Researching I found that it is a way to refuse logins and thus a way to cordon off system accounts. Hence I feel a little dirty adding access to accounts that we want to not have access. Did I just give every system account access to the SFTP server? |
I'd just like to clarify something.
SFTP is the Secure FTP option within the ssh pkg. You can alternatively(!) use vsftpd+TLS. They are however completely unrelated and you (probably) only need one or the other. Does that help? |
Quote:
http://www.cyberciti.biz/tips/centos...ual-users.html |
Quote:
|
Quote:
|
All times are GMT -5. The time now is 07:21 PM. |