简体繁体 English

如何“安全地”允许其他人在我的服务器上工作？

[英]How to “safely” allow others to work on my server?

原文 2015-07-05 00:09:25 4 2 linux/ apache/ server/ virtual-machine

I sometimes have a need to pay someone to perform some programming which exceeds my expertise. 有时我需要付钱给某人执行一些超出我专业知识的编程。 And sometimes that someone is someone I might not know. 有时有人是我可能不认识的人。

My current need is to configure Apache which happens to be running on Centos. 我当前的需要是配置恰好在Centos上运行的Apache。

Giving root access via SSH on my main physical server is not an option. 不能通过SSH在我的主物理服务器上进行root访问。

What are my options? 我有什么选择？

One thought is to create a VPS (guest as Linux) on my main physical server (operating system as Linux) using virtualbox (or equal), have them do the work, figure out what they did, and manually implement the changes my self. 一种想法是使用virtualbox（或同等功能）在我的主要物理服务器（操作系统为Linux）上创建VPS（来宾为Linux），让他们完成工作，弄清楚他们做了什么，然后手动实现自己的更改。

Seem secure? 看起来安全吗？ Maybe better options? 也许更好的选择？ Thank you 谢谢

2 个解决方案

I suggest looking into the chroot command. 我建议调查chroot命令。 chroot() changes the root directory of the calling process to that specified in path. chroot（）将调用进程的根目录更改为path中指定的目录。 This directory will be used for pathnames beginning with /. 该目录将用于以/开头的路径名。 The root directory is inherited by all children of the calling process. 根目录由调用过程的所有子级继承。

This implications of this, are that once inside a chroot "jail" a user cannot see "outside" of the jail. 这样做的含义是，用户一旦进入chroot“监狱”，便无法看到监狱的“外面”。 You've changed their root file. 您已更改其根文件。 You can include custom binaries, or none at all (I don't see why you'd want that, but point being YOU decide what the developer can and can't see.) 您可以包含自定义二进制文件，也可以不包含任何二进制文件（我不知道为什么要这样做，但要指出的是，您决定开发人员可以看到还是看不到什么。）

We can use a directory for chroot, or you could use my personal favorite: a mounted file, so your "jail" is easily portable. 我们可以使用chroot的目录，也可以使用我个人最喜欢的目录：一个挂载的文件，因此您的“监狱”很容易移植。

Unfortunately I am a Debian user, and I would use debootstrap to build a minimal system to a small file (say, 5GB), but there doesn't seem to be an official RPM equivalent. 不幸的是，我是Debian用户，我会使用debootstrap将最小的系统构建为一个小文件（例如5GB），但是似乎没有等效的RPM。 However the process is fairly simple. 但是，过程非常简单。 Create a file, I would do so with dd if=/dev/zero of=jailFile bs=1M count=5120 . 创建一个文件，我将使用dd if=/dev/zero of=jailFile bs=1M count=5120 。 Then we can mkfs.ext4 jailFile . 然后我们可以mkfs.ext4 jailFile 。 Finally, we must mount and include any files we wish the jailed user to use (this is what debootstrap does. It downloads all the default goodies in /bin and such) either manually or with a tool. 最后，我们必须手动或使用工具装入并包含希望被监禁的用户使用的任何文件（这是debootstrap功能。它将在/ bin等中下载所有默认的好东西）。

After these steps you can copy this file around, make backups, or move servers even. 完成这些步骤后，您可以复制该文件，进行备份甚至移动服务器。 All with little to no effort on the user side. 在用户方面几乎没有任何努力。

From a short google search there appears to be a third party tool that does nearly the same thing as debootstrap , here . 通过简短的Google搜索，似乎有一个第三方工具在这里执行与debootstrap几乎相同的操作。 If you are comfortable compiling this tool, can build a minimal system manually, or can find an alternative; 如果您愿意编译此工具，则可以手动构建一个最小的系统，或者可以找到一个替代方案。 and the idea of a portable ext4 jail is appealing to you, I suggest this approach. 我建议采用这种方法，而便携式ext4监狱的想法很吸引您。

If the idea is unappealing, you can always chroot a directory which is very simple. 如果这个想法不受欢迎，您总是可以chroot一个非常简单的目录。

Here are some great links on chroot : 这是chroot上的一些很棒的链接：

https://wiki.archlinux.org/index.php/Change_root https://wiki.archlinux.org/index.php/Change_root

https://wiki.debian.org/chroot https://wiki.debian.org/chroot

http://www.unixwiz.net/techtips/chroot-practices.html http://www.unixwiz.net/techtips/chroot-practices.html

Also, here and here are great links about using chroot with OpenSSHServer. 另外，这里和这里都是有关将chroot与OpenSSHServer一起使用的重要链接。

On a side note: I do not think the question was off topic, but if you feel the answers here are inadequate, you can always ask on https://serverfault.com/ as well! 附带说明：我不认为这个问题不是题外话，但是如果您觉得这里的答案不足，也可以随时在https://serverfault.com/上提问！

Controlling permissions is some of the magic at the core of Linux world. 控制权限是Linux世界的核心魔术。

You... could add the individual as a non-root user, and then work towards providing specific access to the files you would like him to work on. 您... 可以将个人添加为非root用户，然后努力提供对您希望他处理的文件的特定访问权限。

Doing this requires a fair amount of 'nixing to get right. 要做到这一点，需要付出很多努力。

Of course, this is one route... If the user is editing something like an Apache configuration file, why not set-up the file within a private bitbucket or github repository? 当然，这是一条路线...如果用户正在编辑类似Apache配置文件的内容，为什么不在私有bitbucket或github存储库中设置文件？

This way, you can see the changes that are made, confirm they are suitable, then pull them into production at your leisure. 这样，您可以查看所做的更改，确认它们是否合适，然后在闲暇时将其投入生产。