# using ezjail just for isolation user home directory



## sysnes (Sep 1, 2018)

Hello everyone, I hope all of you are fine.

I decided to change my strategy  using ezjail.
*Before:*
* Install nginx, php-fpm, in one jail and also created all users in this jail
* Install mysql in another jail
* In main host used pf to forwarding port to  and nginx,mysql, etc.

*Now:
** In main host, install all nginx,php,mysql
*** create one jail to every user  just for isolation the home directory of user
*** used just pf to forwarding port custom por 600x to 22 jail in each user, just sfpt, disable ssh console

In nginx I have this syntax:

server {
  listen       80;
  server_name  test.com www.test.com;
  root   /usr/jails/newuser/home/newuser/public;
   .....
   .....
}
nginx by default has root privileges, so can read that path user directory, also in the jail of newuser I set this changes:
* set to group *justsftp* disabled ssh shell (chroot for this user)
* chown -R newuser:www /home/newuser/public
chmod -R 770 /home/test/public/
I have to set to group *www *so php-fpm can write to this path directory

All this is working good. (wordpress site)

*¿what you think about this strategy ?*

In the future I want to be control the server resources like cpu, memory, quote directory disk.

*¿does this approach interfere with future plans ?*

Thanks for any comment


----------



## ShelLuser (Sep 1, 2018)

sysnes said:


> nginx by default has root privileges, so can read that path user directory,


To my knowledge it doesn't. The only moment nginx uses root privileges is to bind itself to port 80, which is a privileged port. After that it immediately drops these permissions and will switch to its default user account.

Therefor you can't rely on nginx being capable of overruling any permission schemes. In fact, that's a really poor approach in the first place, especially if you actually value security. Just double check your permission masks and make sure the nginx process has access.

Just because it's a user directory doesn't imply that no one other than the user can access it you know. By default masks are set to 755.


----------

