--On Tuesday, May 17, 2011 03:00:43 PM +0200 Hajo Locke hajo.locke@gmx.de wrote:
dont have experience with selinux, but i want to know if it would be a practicable way to secure sshd with selinux.
[snip]
Do your users need full ssh access or just scp/sftp? You mention php/perl, but it's not clear if they need to be able to upload scripts that use those to render their web pages, or if they're needed interactively. (See also the last paragraph at the bottom of this email.)
If they just need scp/sftp, then a really nice solution is to use
Subsystem sftp internal-sftp ChrootDirectory /var/some-web-dir/%u
in your sshd_config file. You don't have the usual headaches associated with setting up chroot environments, your users can only see their own files, and you can point apache at that hierarchy to serve their pages.
For a username 'joe' with group 'web' with a nominal home directory of /home/joe, the setup would then consist of:
install -d -m755 -o root -g root /var/some-web-dir/joe install -d -m755 -o root -g root /var/some-web-dir/joe/home install -d -m755 -o joe -g web /var/some-web-dir/joe/home/joe
You can use the above directory instead of public_html if you want all their files to be visible, or create a public_html under that directory otherwise. Another option is to create both a public_html and a logs directory, and then arrange for the apache logs for that user to be copied there.
You would still need to evaluate whether, in your environment, this is sufficient for them uploading php/perl scripts and having them *execute* in an appropriate and secure manner under apache.
Devin