using ezjail just for isolation user home directory

sysnes

New Member


Messages: 4

Hello everyone, I hope all of you are fine.

I decided to change my strategy using ezjail.
Before:
* Install nginx, php-fpm, in one jail and also created all users in this jail
* Install mysql in another jail
* In main host used pf to forwarding port to and nginx,mysql, etc.

Now:
*
In main host, install all nginx,php,mysql
* create one jail to every user just for isolation the home directory of user
* used just pf to forwarding port custom por 600x to 22 jail in each user, just sfpt, disable ssh console

In nginx I have this syntax:

server {
listen 80;
server_name test.com www.test.com;
root /usr/jails/newuser/home/newuser/public;
.....
.....
}
nginx by default has root privileges, so can read that path user directory, also in the jail of newuser I set this changes:
* set to group justsftp disabled ssh shell (chroot for this user)
* chown -R newuser:www /home/newuser/public
chmod -R 770 /home/test/public/
I have to set to group www so php-fpm can write to this path directory

All this is working good. (wordpress site)

¿what you think about this strategy ?

In the future I want to be control the server resources like cpu, memory, quote directory disk.

¿does this approach interfere with future plans ?

Thanks for any comment
 

ShelLuser

Son of Beastie

Reaction score: 1,693
Messages: 3,512

nginx by default has root privileges, so can read that path user directory,
To my knowledge it doesn't. The only moment nginx uses root privileges is to bind itself to port 80, which is a privileged port. After that it immediately drops these permissions and will switch to its default user account.

Therefor you can't rely on nginx being capable of overruling any permission schemes. In fact, that's a really poor approach in the first place, especially if you actually value security. Just double check your permission masks and make sure the nginx process has access.

Just because it's a user directory doesn't imply that no one other than the user can access it you know. By default masks are set to 755.
 
Top