I finally got sick of my SuSE 9.3 V-Server when a good friend of mine pointed me to this really fancy and sexy IMAP web frontend called RoundCube last week. Written entirely in PHP 5 there was no real chance that I could get this easily working on my oldish PHP 4.3 installation without recompiling everything. I wanted to upgrade to some Ubuntu LTS server in short to middleterm anyways because I got sick of Plesk as well, and while I had these upgrade thoughts now for a while, the price tag for a temporary setup to make a clean transition was just too high: It would have cost me at least 65 Euro to get a throw-away V-Server for about three months – whereas two weeks would have been enough.
So, being a little kid with these things sometimes in terms of being not able to wait for stuff to happen, I did this one thing what one really should not do at all: Touching a running system.
I backed up all important stuff to a special directory inside the virtual machine and told the automatic installer procedure to start installing Ubuntu 8.04 LTS. After approximately two hours my working setup was gone. No emailing, no webserver, nothing.
So I started with a clean ubuntu server instance from scratch yesterday evening and it took me the whole last night to get some things working. While the mail setup is still a beast (need to read myself into exim and try out a couple of tutorials), I’m already quite proud of my Apache / FastCGI PHP setup. I copied a lot of ideas from the www setup at work where we have implemented separated, secured V-Host users, suexec-protected php wrappers and more.
Tonight I added another little puzzle piece into the mix: SFTP/SCP access for individual users to their virtual hosts.
Again, the Ubuntu community was very helpful – I found a HOWTO for getting an sftp server up and running in a jailed environment. There was actually very little I had to change so it fitted my use case – instead of using /home/chroot as jail, I put the jail into /var/www/vhostjail and all websites / vhosts which should get file transfer access below that directory. The biggest plus with this setup – beside the security point (people can only sftp or scp to the jail and cannot break anything on the rest of the system) – is now that the user who uploads files and the webuser who executes the request (i.e. the Apache user) is one and the same. No need to make files world-readable or even -writable when setting up a web application which has to read or write data. No need to change the owner or the access of uploaded files because the webuser could otherwise not read, write or execute them.
Wow. I like that setup.
Now, if only exim would so easy to understand and master…