1

In CentOS 6.5 (SElinux off, chroot) with Webmin/Virtualmin (latest version) I want to give a developer access to SSH within /home/site so he can use only git to manage the code. I also want to give him access to FTP into /home/site/ and MySQL access to the 3 DBs (site and 2 sub-servers)

SSH: I created an user called dev_ssh. SSH is cert based only login and I have SSH to /home/dev_ssh working. I want to give this user access to the /home/site directory, but the user cannot cd to /home/site unless I add him to sudoers.

FTP: I created 1 user for the site (dev.site), he can access the entire /home/site. This part is working fine.

MySQL: I created a mysql user dev_mysql, and gave this user access to all 3 DBs (main one and sub-servers' DBs). The MySQL access I might have to keep it this way, as that user has access to remotely login to MySQL only for those 3 DBs (whereas the unix user can only access from MySQL localhost). This part is working fine.

How do I solve the SSH access to /home/site issue?

Additionally, is this entire setup the proper way to set this up in a Webmin environment?

Gaia
  • 1,855
  • 5
  • 34
  • 60

4 Answers4

1

Use system group to give access to directory. Change the group ownership of /home/site to a common group such as git and add user dev_ssh in to that group.

chgrp -Rvf git /home/site
usermod -a -G git dev_ssh
grekasius
  • 2,056
  • 12
  • 15
Velnix
  • 144
  • 2
  • I cannot change the ownership of the group as that would mess up the entire setup. It's an apache folder, and the folder is owned by sitename. – Gaia Aug 15 '14 at 08:23
  • Is it possible to add dev_ssh to the group which owns /home/site ? – Velnix Aug 15 '14 at 08:25
  • that's what I tried to do. didn't work. couldn't even CD into /home/site. – Gaia Aug 15 '14 at 13:03
  • Make sure group has read and execute permission to that directorychmod g+rx /home/siteusermod -a -G sitename dev_ssh – Velnix Aug 15 '14 at 16:41
  • I added dev_ssh to the group. The group owns the dir (recursively). Didn't work. execute permissions are not needed for a simple `cd` – Gaia Aug 16 '14 at 09:21
  • That's weird. what's groups dev_ssh and ls - ld /home/{,site} ? – Velnix Aug 16 '14 at 14:20
  • Sorry, I don't understand your question. – Gaia Aug 16 '14 at 17:01
0

In ~/.ssh/authorized_keys

command="git",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-dss [...]
NuTTyX
  • 1,168
  • 5
  • 10
0

You can restrict the 'git' user to only doing Git activities with a limited shell tool called git-shell that comes with Git. If you set this as your 'git' user’s login shell, then the 'git' user can’t have normal shell access to your server. To use this, specify git-shell instead of bash or csh for your user’s login shell. To do so, you’ll likely have to edit your /etc/passwd file.

Satalink
  • 188
  • 1
  • 7
  • yes, git-shell is the way to go but that only helps after the user can access the needed folders. – Gaia Aug 15 '14 at 08:22
  • Perhaps you don't fully understand. You change the shell from /bin/bash or /bin/sh (whatever is defined for the user in /etc/passwd) to /bin/git-shell. Then when the user logs in, he/she can only perform git related actions. To restrict their commands: Place a directory named 'git-shell-commands' in the home directory of a user whose shell is git-shell. Then anyone logging in as that user will be able to run executables in the 'git-shell-commands' directory. – Satalink Aug 15 '14 at 14:42
  • you can control what commands are available to the git user by adding links to the commands in their /home/git/git-shell-commands directory. The first of which would be "git" itself. If you want them to have specific commands available such as "ls", then you need to make a link to ls in their git-shell-commands directory: ln -s /bin/ls ls --- now they'll be able to execute ls from their git-shell connection. – Satalink Aug 15 '14 at 15:08
  • git-shell will be implemented, but he still will not be able to use the commands on the folders he doesn't have permission to. he can't cd to /home/site even if I add dev_ssh to the group that owns that directory. it must be a chroot problem. – Gaia Aug 15 '14 at 19:08
  • permissions will be honored. You'll have to add cd to his git-shell-commands for him to be able to change directories at all. I haven't found that command in my setup... thinking it's part of shell. – Satalink Aug 15 '14 at 19:21
  • Yes, since they will be honored, my problem is not git-shell. it's the setup/chroot within this environment (a standard CentOS system with Webmin/Virtualmin) – Gaia Aug 16 '14 at 09:20
  • If you want to change to user's home directory, simply modify the /etc/passwd file. dev_ssh:x:32016:32018::/home/site:/bin/git-shell – Satalink Aug 16 '14 at 12:52
  • I would do that if I wanted to give him access to a dir and all it's subdirs. But since he works on /home/site and /home/othersite I'd have to give him access to /home, which cannot be done. – Gaia Aug 16 '14 at 17:00
0
setfacl -m d:u:dev_ssh:rx /home/site

Make sure the filesystem containing /home/site has been mounted with the acl option. Source: CentOS Access Control List docs.

aecolley
  • 963
  • 4
  • 15