A friend and I are setting up a simple web hosting server. We want to lock it down as much as possible so that users can't access anything but their own home directories, but obviously we don't want to break anything in the process. We also don't really want to use chroot - bad experiences in the past. What's the best way to go about doing it?

If it were me I'd look at implementing a Linux-VServer to contain your cantankerous users in. Within the pseudo-virtualized environment, you could simply make filesystem permissions on their home directories less liberal.

Although I haven't tried this out, the installation on debian looks particularly painless.

Vservers would be overkill for this purpose, but if thats your cup of tea check out OpenVZ as well.

Overkill to you == peace of mind to me.

Yeah, we don't really want a separate VServer for each website hosted - especially as the people we're hosting for are unlikely to know anything about server administration. Might be worth doing one or two for the different types of sites we're hosting though.

We're not going to give users SSH access - only FTP and they'll be locked in to their home directory - but we want to be on the safe side with permissions. Apart from not letting users access other users' home directories, and not being able to read config files, what do we need to be careful about? Maybe using suphp?

More info like this in your first post (rather than after the fact) will generally help you get a more useful response. Given this new info, Linux-VServers are probably not needed.

What is your real question about then? Filesystem/permission security? It sounds like you'll be using chrooted ftp for each user (and presumably a nologin shell).

Yeah, sorry - what we want is still a bit hazy and we keep changing our minds.

I think that's pretty much what we're going for. Really, what we want is to restrict what users can do as much as possible, and reduce the risk of their sites compromising our server - we've inherited the server which got rooted a few times before we came along. We've since formatted and reinstalled so we're just looking to get the most secure setup possible.

I know a 'chrooted' ftp account is quite secure, but I've read it can be broken. With PHP, we're going to use open_basedir to lock that aspect down (other scripting languages won't be executable), and we've got our /tmp on a separate partition, mounting with nodev, nosuid and noexec.

Is there anything else we can do?

I'm going to make some assumptions first -- namely that you're familiar with and have taken very general hardening steps such as: shut off unneeded services, removed unnecessary packages, disabled suid binaries where possible, looked at potentially implementing a HIDS, hardened traffic at the IP level where possible (via netfilter), etc.

I don't know the status of MAC implementations on debian, but if something worthwhile is available that would be a good area to look into further. This could be the difference between a zero-day exploit in apache (or a poorly configured apache) causing major damage or being contained within its security context.

Finally, at the application level both apache and PHP are very complex beasts. To harden these properly would require an understanding beyond what I can personally provide. I'd look into books and/or classes to get you up to speed.

This all comes down to your customers and your acceptable level of risk. Is this a fun little test project for some buddies? If yes, you can shoot and miss, rebuild and try it all over again. Does your mortgage payment depend on a successful outcome with this project? If yes, I'd get ready to do a lot of learning and testing up front to properly harden the OS, application, and network layers.

Addendum: The chrooted ftp account (try vsftpd -- it's pretty good) is the least of your worries, IMO. Just set them up and give them a nologin shell.

Do keep in mind that ftp is a clear text protocol, though, so their authentication info will be sent across the wire for nasty people to potentially see.

It sounds like you want a server configured for reselling. This is a problem that has been solved thousands of times before, by every provider of shared hosting services.

There are many ways to do this, and all kinds of pre-packaged stuff out there to help you do it.

cPanel and LxAdmin are the commercial packages that will do all this for you right out of the box, or you can use DirectAdmin, which is free (based on Webmin).

Unfortunately we can't use any panels because our 'clients' aren't necessarily going to have their own domain names (which, as far as I can tell, is a prerequisite of setting up hosting through a panel).