Apache User and Shell Security Question
 

I just setup a wordpress server running ubuntu. In order to get the pointy-clicky updates to work I had to setup SFTP on the server. I installed vsftpd and opened the port. After forcing encryption I enabled local accounts access to the SFTP server. Since apache serves wordpress I needed to give www-data access to the SFTP server. I set the www-data password, and added /usr/sbin/nologin to the file /etc/shells.

This method works but I am concerned about security:

1) Setting the password on a system account seems like a bad idea. I have SSH locked down via AllowUsers, but I don't know enough to be certain that this didn't open a hole internally. Is this generally a bad idea and is there an alternative approach?

2) I understand that /etc/shells is just a list of users' shells that vsftpd will accept, but I have never come across the nologin shell before. Researching I found that it is a way to refuse logins and thus a way to cordon off system accounts. Hence I feel a little dirty adding access to accounts that we want to not have access. Did I just give every system account access to the SFTP server?

I'd just like to clarify something.
SFTP is the Secure FTP option within the ssh pkg.
You can alternatively(!) use vsftpd+TLS.
They are however completely unrelated and you (probably) only need one or the other.
Does that help?

Alternatives solution you can also try vsftpd with virtual user which lock the ftp user to login via ssh .Look after the link

http://www.cyberciti.biz/tips/centos...ual-users.html

You are absolutely correct. I need FTP + TLS since wordpress only has FTP capabilities. Thanks.

Wow, this is a really cool feature that I didn't know existed. Thank you!