Lloyd
02-20-2008, 04:51 AM
Those who host virtual domains (doesn't everyone?) and allow FTP connection to upload webpages, etc, will want to make use of the FTP's server's ability to confine users to a chroot "jail." This keeps users from nosing around your server's entire filesystem. See Rimuhosting's vsftp howto (http://rimuhosting.com/howto/ftp.jsp).
If you chroot FTP users to their home directory, the directory root of their web pages will have to be "under" their home directory, like this:
/home/george/www/
In this example, "www" is user george's directory root.
Apache can serve web pages out of a subdirectory of a home directory just fine, but if you want to use suexec, you will run into a problem with this. (Suexec is an Apache module that executes cgi-scripts with the permissions of a given user, rather than with the permission of the Apache server. See http://httpd.apache.org/docs/2.0/suexec.html.)
The problem is that suexec requires that all scripts be executed out of Apache's "suexec document root." The suexec document root setting is compiled into the Apache server. The default for Debian is /var/www/.
Unless the suexec document root is set to /home (which it is not in any Linux distribution, I believe), suexec cannot be used when users can only FTP to their home directory and below.
In sum, for Debian, all files executed by suexec have to be under /var/www
But vsftp's jail confines user george to /home/george.
Symbolic links won't work to fix any of this. :confused:
One way to fix it, suggested to me by Rimuhosting, is to recompile Apache with "--with-suexec-docroot=/home." In my opinion, this is impractical, since you would have to recompile Apache every time the Apache server is updated, which it is frequently. Easy no-brainer updates are one of Debian's great features.
The solution I finally found is to simply move users' home directories so that they are under the suexec document root!
To do this, first we create a new home directory under the suexec document root:
mkdir /var/www/home2
Then, for our user george, you should be able to move his home directory with a single command:
usermod -m -d /var/www/home2/george
(Actually, this command did not work for me, so I had to first move the home directory "manually," then execute
usermod -h /var/www/home2/george)
You should also be able to change the system default home directory for new users, like this:
useradd -D -b /var/www/home2
(If you found this howto useful, please leave a comment.)
If you chroot FTP users to their home directory, the directory root of their web pages will have to be "under" their home directory, like this:
/home/george/www/
In this example, "www" is user george's directory root.
Apache can serve web pages out of a subdirectory of a home directory just fine, but if you want to use suexec, you will run into a problem with this. (Suexec is an Apache module that executes cgi-scripts with the permissions of a given user, rather than with the permission of the Apache server. See http://httpd.apache.org/docs/2.0/suexec.html.)
The problem is that suexec requires that all scripts be executed out of Apache's "suexec document root." The suexec document root setting is compiled into the Apache server. The default for Debian is /var/www/.
Unless the suexec document root is set to /home (which it is not in any Linux distribution, I believe), suexec cannot be used when users can only FTP to their home directory and below.
In sum, for Debian, all files executed by suexec have to be under /var/www
But vsftp's jail confines user george to /home/george.
Symbolic links won't work to fix any of this. :confused:
One way to fix it, suggested to me by Rimuhosting, is to recompile Apache with "--with-suexec-docroot=/home." In my opinion, this is impractical, since you would have to recompile Apache every time the Apache server is updated, which it is frequently. Easy no-brainer updates are one of Debian's great features.
The solution I finally found is to simply move users' home directories so that they are under the suexec document root!
To do this, first we create a new home directory under the suexec document root:
mkdir /var/www/home2
Then, for our user george, you should be able to move his home directory with a single command:
usermod -m -d /var/www/home2/george
(Actually, this command did not work for me, so I had to first move the home directory "manually," then execute
usermod -h /var/www/home2/george)
You should also be able to change the system default home directory for new users, like this:
useradd -D -b /var/www/home2
(If you found this howto useful, please leave a comment.)