1

I'm needing to setup a basic web user account on my ubuntu 10.10 server to host web pages. This account should be limited to access only the necessary directories on the machine. I setup the following account but nothing happens when I try to log into it:

:~$ groupadd -g 1005 webgroup
//I then changed the group and permissions of a current user I had already created
:~$ sudo usermod -g 1005 -s /bin/false -d /home/webuser/ webuser

When trying to login using this account I enter the username [webuser] and the password but it just redirects me back to the login: prompt. I tried resetting the password but still have the same problem.

Can someone either tell me what I'm doing wrong, or suggest another method that would achieve the same result (if not a better one).

It sounds like I do not want the user to be able to login at all. However, (my grasp on this concept is apparently very small so bear with me) doesn't the user have to be logged in for web requests to be received by that user? In other words, web requests are received and interpreted by the user who is logged in at that time (correct?). If this is a continuously running server and is always turned on in our server room, then shouldn't the logged in user be my 'webuser' I just created in order to limit access to individuals trying to hack in?

Flyk
  • 1,480
  • 3
  • 18
  • 24
sadmicrowave
  • 1,068

3 Answers3

4

You don't need to have anyone "log in" to the server for the webserver to run. The web server (Apache?) Will run as either nobody, apache, http, or whatever user that service is designed to run as. It'll serve up content to whatever valid requests are made to it as long as it's on. Since it runs daemonized it will continue to run without anyone logged in actively. Furthermore, no one should have to log in as the webserver user for security reasons.

If you want users to be able to upload and place new content on the webserver without actually giving them access to the machine they don't need SSH access (though you could give them that) They really need FTP access to a secured location on the box which the web server is configured to read from. Typically most web servers read from /var/www - though you can configure it to read from any directory in the system. They don't constantly need to be logged in for it to run either. Just log in via FTP - upload files - refresh browser.

Community
  • 1
Marco Ceppi
  • 48,827
3

You are using /bin/false, which connects then closes your connection. Perhaps setting the user's shell to /bin/bash will remedy this issue.

:~$ chsh -s /bin/bash webuser

When I checked /etc/shells, I saw no /bin/false listed.

SinaCutie
  • 61
0

What exactly are you trying to achieve? The question states that you'd like to allow access to selected directories only, but your comment to tenach's answer suggests that you want to disallow login at all.

The best way to enclose a user in a specific directory hierarchy is to chroot SSH sessions, and there are tutorials on how to do that on the Web. I don't recommend relying solely on Unix permissions for protection.

Adam Byrtek
  • 9,861