More Secure Web Hosting

For a while now I've been working to better secure our shared web hosting at SoftGroup Interactive. For ease of administration we like to keep all the sites on each server under the /var/www tree. For security this presents a few issues. First, we give our users FTP access to their sites and it is less than desireable for them to see the whole /var/www tree lest they get any ideas. Second it gives away a little bit too much about our other clients. It also isn't very flexible for the end users because they can't store "scratch" files anywhere on disk.

The ideal solution would be to somehow give users their own home directory and also give them access to their sites. Preferably we should be able to chroot the users into their home. Under the current system we used filesystem permissions to hide folders from users. Proftp had the option to now show users files they didn't own so we could give them access to the /var/www tree without giving away too much information. This still isn't awesome because users can't upload "scratch" files, they are basically restricted to uploading stuff to their webspace.

Lately however, I've learned of an even better solution. We now create home directories for each client, real honest-to-goodness home directories. When we transitioned to Ubuntu server we also switched to vsftp and now had the option to chroot users into their homes (perhaps this was possible under Proftpd, I didn't pay much attention). For the sites we use bound mounts (mount --bind) for each site the user owns. This gives us a lot of flexibility to secure the system however we like but also gives the users access to their sites and the ability to post files outside of their webspace.

There are two downsides to this solution, both of which should be easy to rememdy. We have to use real *nix users. This will be mitigated when we make our full leap to centralized user management in LDAP. The other annoyance is the need to update /etc/fstab with all the bind mounts. I'm thinking about just writing a quick script to interact with our billing system to generate that but for now it gets done by hand.