jailed httpd/apache website management?

[neurosis]

I am running httpd inside of a jail and have been thinking about how I would like to manage this web site. The web site is for personal use and for learning experience only. My problem is that I would like to keep this jail secure and am not sure that I want or need to run sshd in it nor have any user accounts added other than what apache added during install (www:www)? Anyway, what I wonder is, how do people manage their web pages inside of a jailed environment? What I mean is, how do you edit and transfer files and web pages to your jailed webserver? I plan on adding some virtual hosts in the future for things like docuwiki etc. In the past I just set up user home directory allowed web pages and created a basic login just for my web page but I would like to try something else. Any suggestions are appreciated.

Thanks.

 

[hark]

I don't think running a jailed sshd or adding additional user accounts is a security issue (granted you use a strong password, or no password authentication at all). If it is, consider this -- which would you rather have more insecure? the jail or the host?

For my setup, I've got a jail running both Lighttpd and sshd to serve web content. When I need to modify the content, I log directly into the jail (rather than into the host). In the case that the jail becomes compromised, it can simply be shutdown, wiped and restarted without damaging the host environment (or the other services -- postgres, svn, etc -- each running in their own jails).

 

[neurosis]

Thanks for the reply. In your web server jail how do you have your site layed out? What I mean is, do you use the default apache install locations for your site or do you use your user directory? And if you use the default location, do you just add the user to the www group to make the changes to the site? I may set up a user and sshd and just use the firewall to only allow trusted hosts to ssh to the box.

 

[anomie]

I am running httpd inside of a jail and have been thinking about how I would like to manage this web site. The web site is for personal use and for learning experience only. My problem is that I would like to keep this jail secure and am not sure that I want or need to run sshd in it nor have any user accounts added other than what apache added during install (www:www)? Anyway, what I wonder is, how do people manage their web pages inside of a jailed environment?

For a personal wiki, I just copied files from the host and/or entered the jail from the host as needed.

# jexec 1 /bin/csh

If you're looking to simulate an environment where other users/developers have the ability to upload and edit files for your web application, you will obviously need to provide some mechanism for accessing the jail directly.

For dokuwiki, you don't need to worry about any of this. Just use its ACL features, and content will all be managed through dokuwiki itself.

 

[hark]

Thanks for the reply. In your web server jail how do you have your site layed out?

/usr/local/www/{public,public-ssl,cgi/{project1,project2}}

Do you just add the user to the www group to make the changes to the site? I may set up a user and sshd and just use the firewall to only allow trusted hosts to ssh to the box.

Yeah, I just add the unprivileged user to the www group. It works fine for me since I'm the only one using the box, but I imagine the semantics get a bit more complicated if you've got multiple users. If you've got multiple people in completely separate vhosts (and want to make sure they can't see one another), you might consider using mod_userdir or something rather than lumping them all in the same group with the same ``public'' folder.