Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Setup "jailed" PHP Dev user with SSH/Git Access
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Setup "jailed" PHP Dev user with SSH/Git Access

Hi all,
one of my friends need a VPS with SSH access for Git and other Development work. He is a Laravel/CakePHP developer.

I have a spare VPS with VestaCP and running 2-3 test sites so I thought I'd give me access for this server, however I need advise on how & what Access I should give him so that he can't run system wide commands or do something problematic, yet be able to perform all PHP related development tasks like setting up his GIT and other repos etc.

pls suggest the steps...any guides & pointers that may be helpful

Comments

  • I have no clue about "git and other repos", but phpseclib lets one log into a server over SSH and execute stuff. Maybe that would suffice in combination with a non root user?

    Thanked by 1mehargags
  • scyscy Member
    edited September 2015

    an LXC container?

    Git -> nat port from your external IP to an internal IP

    www -> reverse proxy from your main webserver (or start a webserver on another port if it's possible and dev only)

  • Docker?

    Thanked by 1deadbeef
  • well,
    he needs SSH for Git Commands and Commits, and some other commands (maybe).I'll check with him specifically.

    I think a Non-root user would be good start... probably making a VestaCP user and give it SSH access would be like a jailed user only... right ? This way he can setup multiple domains/DBs and manage them easily. What say ?

  • It depends how much you trust him and how much access to your server you want to give him.

    LXC/docker seems perfect for your needs as he could have his own ssh daemon in his little jail; but if a different user is enough, it will be more easy!

  • lxc is actually a good idea. It seems to work out of the box with NAT, you just need to create a VPS, forward ports with iptables and you are done.

  • scyscy Member
    edited September 2015

    Yeah would be quite fast + you learn new stuff if you aren't familiar yet with lxc.

    Once the project is finished you don't have to worry, just delete the container and you're done.

    Probably not perfect from a security perspective but if he has a user in a LXC jail I feel like it's better than a user on your system. You might have to do some research if you want to give him root access in the container though, some time ago it was quite easy to escape and gain root access to the host from my readings. Don't know how it is now.

  • Docker if it's not OpenVZ - If OpenVZ, there are some jail scripts on github you can use.

  • mehargags said: This way he can setup multiple domains/DBs and manage them easily. What say ?

    Web server config files can't be edited by non-root users so if he needs to setup websites on the server he'll need root access or access to a hosting control panel.

  • Lets see for example:

    1. Change the git hook post update to execute a script.

      1.1 Script can have:

      • Somethign related to composer like composer update, composer cache:clear and so.

      1.2 It can have a comand for remove cache of app.

      • rm -rf storage/cache/*

      So each time he or she does a push it will call the script and everything will be done.

    2. In 2 server do something like:

      2.1 Create a gitolite server and ask him for his public key (id_rsa.pub) for example and add it to the repo he or she is gonna work with.

      2.2 Do the same of part one with script but the script must be in other server.

      2.2.1 For that the comunication with those servers must be with the same user for example, websync.

      2.3 Create a local folder and clone the repo with the user websync also create a script that makes a rsync of file of those servers.

    And thats all, he or she will not need shell, you only will need his public key and create 1 or 2 scripts. Depends of what you need.

    If you need more help just let me know ;)

    Thanked by 1mehargags
  • VestaCP + CHROOT = job well done.

    Thanked by 1mehargags
  • ya sure vesta can work :v

Sign In or Register to comment.