I have a few servers that I once in a while have to drop a Wordpress install on where folks need access. Given that more access generally leads to people confused I always set them up in a jail. This usually requires that I pull up my zsh history and run through the song and dance. I could automate it, but it’s one of those tasks that I’d spend more time writing a script then just punching in some quick commands.
- Setup a group that’ll be assigned to users that need a jail in sshd_config. This is one of those things I only do once when I fire up and instance.
Match Group sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no
- Let’s do some user ops.
➜ ~ useradd $USER
➜ ~ passwd $USER
➜ ~ usermod -aG sftponly $USER
- Setup our jailed home directory
➜ ~ sudo -u $USER mkdir -pv /home/$USER/my.awesome.domain.something
➜ ~ chown root. /home/$USER
➜ ~ chmod 755 /home/$USER
➜ ~ chgrp -R $USER /home/$USER
- Ditch the shell
➜ ~ usermod -s /bin/false $USER
- Pull Wordpress and unpack
➜ ~ cd /home/$USER/my.awesome.domain.something
➜ ~ wget http://wordpress.org/latest.tar.gz
➜ ~ tar zxf latest.tar.gz
➜ ~ mv wordpress/* .
➜ ~ rm -rf wordpress/
-
Setup Wordpress with the usual config (wp-config dance, pull plugins, et cetera).
-
Add said new server block to nginx
server {
server_name my.awesome.domain.something;
access_log logs/my.awesome.domain.something.access.log main;
root home/$USER/my.awesome.domain.something;
}
-
Add user to sshd_config
-
Lock down Wordpress
➜ ~ find . -type d -exec chmod 755 {} \;
➜ ~ find . -type f -exec chmod 644 {} \;
And so completes a fast and furios Wordpress setup in a jail. User happy, me reasonably happy, on to other coding things.