--On Tuesday, May 17, 2011 03:00:43 PM +0200 Hajo Locke <hajo.locke at
gmx.de>
wrote:
> dont have experience with selinux, but i want to know if it would be a
> practicable way to secure sshd with selinux.
[snip]
Do your users need full ssh access or just scp/sftp? You mention
php/perl, but it's not clear if they need to be able to upload scripts
that use those to render their web pages, or if they're needed
interactively.
(See also the last paragraph at the bottom of this email.)
If they just need scp/sftp, then a really nice solution is to use
Subsystem sftp internal-sftp
ChrootDirectory /var/some-web-dir/%u
in your sshd_config file. You don't have the usual headaches associated
with setting up chroot environments, your users can only see their own
files,
and you can point apache at that hierarchy to serve their pages.
For a username 'joe' with group 'web' with a nominal home
directory
of /home/joe, the setup would then consist of:
install -d -m755 -o root -g root /var/some-web-dir/joe
install -d -m755 -o root -g root /var/some-web-dir/joe/home
install -d -m755 -o joe -g web /var/some-web-dir/joe/home/joe
You can use the above directory instead of public_html if you want
all their files to be visible, or create a public_html under that
directory otherwise. Another option is to create both a public_html
and a logs directory, and then arrange for the apache logs for that
user to be copied there.
You would still need to evaluate whether, in your environment, this
is sufficient for them uploading php/perl scripts and having them
*execute* in an appropriate and secure manner under apache.
Devin