I have a web server with RH9 installed. I have added a couple of users to make updates to the websites. I wanted to know how I can prevent shell access and / directory access.

For example, I have a website located in /home/sites/site1/web, I have made this the user's default directory. But the user is still able to go to /etc I want it so the user may only be able to go up to /home/sites/site1

Also the user is able to log in with ssh. I changed the shell to /bin/false and this solves the ssh problem but then ftp is also blocked.

All help is welcome.

kihtap

If they only need to update the website through ftp, then you don't need to make them regular users. If they have accounts because they use their account to produce the changes (rather than offline), then they will need normal access to perform change the website. You can have a shell running in a jail. This would mean providing a scaled down version of the system inside of the jail.

You can have a non-anonymous ftp server running in a jail, and make these two people guest users.
This link could be a starting point for you: http://aplawrence.com/Bofcusm/1444.html

Having read access to /etc is normal, as many programs require read access to the configuration files, such as when they login, their home directory and default shell are read from /etc/passwd.

If you put them in a ch-rooted jail, you need to be careful which commands you include. For example, with the restricted shell, the '/' character isn't allowed in pathnames. But just executing a script will remove the restrictions. Starting a regular bash shell, if you allow it would also remove restrictions. The restricted shell is intended to be used to run a server in a jail. It is insurance in case the service crashes.

Most distributions have security settings, and the highest is often called 'paranoid' settings. This may even restrict users from accessing man pages.

Also, if you have a storage partition mounted, such as an external vfat drive to store mp3's for instance, make yourself the owner and group owner of the partition, and use the 'noexec' and 'nodev' option.

Also, you can tighten up the password policy. This way, a user can't choose a weak password. This can help prevent a third party from guessing the passwords of one of the users.

If the strictest security level isn't enough, and they can't get their work done in a jail, maybe you don't want others accessing your computer in the first place. You would probably be safer in the long run concentrating on security issues in general, such as removing programs and commands that a web-server doesn't need, removing unnecessary suid programs, not running any services like mail that have shell hooks. Scanning your machine looking for open ports.