Hi guys,

I'm still a newbie and don't know what are the generally accepted practices for achieving the following goal while keeping security in mind:

1. I want to run a web server where my friends can use my Linux box to host their web sites.

I'm planning on using virtual hosts in apache to direct requests to different user directories in /home.
i.e. www.blah.com --> /home/blah.
www.foobar.com --> /home/foobar

I'd like it to be secure so that users don't have access to another user's directory or my root directories like /etc. or /var, etc.

Preferably, i'd like some users to have shell access and all users have ftp access to their directories (for now please pretend that ftp protocol is secure, i will be switching to sftp or scp). I was looking at using chroot to keep users in their directories but i've read that it's trivial to bust out. Then i read about chroot jails (from the Jail Chroot Project), which are better, but take a lot of work to configure and to make sure they are secure.

Then i thought maybe i'll make it so that no users will have shell access, just ftp access so they can administer their web sites. I would then use the directive DefaultRoot in ProFTPd to chroot the user into their home directory. I think this would be a safe option but of course the user loses functionality because of no shell access.

Any other ideas? What's the best solution?

Ok, first of all let me just state that your ISP probably won't like you registering a domain on their IP addresses (unless you are your ISP, or have a very friendly one) so we'll leave the discussion of domain registration, bind and apache virtual hosts alone.

User security:
For users that you don't want to give shell access to set their shell to /bin/false in /etc/passwd.

In /etc/proftpd.conf you'll have to set RequireValidShell to Off.

Add all users to a single group, users is a good choice, and restrict default perms by turning off USERGROUPS and set DIR_MODE=0700 in /etc/adduser.conf

In /etc/proftpd.conf set DefaultRoot ~ users