LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Webmin & FTP!?!?! (http://www.linuxquestions.org/questions/linux-networking-3/webmin-and-ftp-3685/)

DanTup 06-25-2001 05:50 AM

Webmin & FTP!?!?!
 
Hi!

I'm using Webmin and having some problems (and Webmin docs don't seem to be very, um, existent!). :mad:

Anyway, when I create a new user through webmin, I want them only to have access to /home/theirdir, but right now, then can just go up the tree to / and even /etc! :(

Does anyone know how to stop this?

Thanks very much.

Danny
ps. Just a shameless plug, http://MyBest50.com are offering FREE month's listings to everyone, so check it out (http://mybest50.com/freemonth.php) ;)

jharris 06-25-2001 07:34 AM

I think that you will need to make ftpd chroot when the user accesses it... I think the documentation you want to look at isn't webmins' but the man page for your ftp daemon. Unfortunately I can't be more specific... what FTP daemon are you using?

cheers.

Jamie...

DanTup 06-25-2001 07:43 AM

wu-ftpd.

I just want to stop them getting anywhere outside of /home/username.

I don't know much about it, but I have access to Webmin and via SSH, so I'd appreciate any suggestions.

While I'm at it, I CHMOD'd all my web folder to 0777 cos it's the only way I could get two users to be able to write into that folder. Is there another way?! I set up a group "webusers" and CHGRP'd the folders to them, but it would still only let the CHOWNer write into there :(

TIA,

Danny

jharris 06-25-2001 08:01 AM

Quote:

Originally posted by DanTup
wu-ftpd.

I just want to stop them getting anywhere outside of /home/username.

If your file system permissions are good then you shouldn't have too much of a problem with them being able to get out anywhere dangerous anyway...

Quote:

Originally posted by DanTup
I don't know much about it, but I have access to Webmin and via SSH, so I'd appreciate any suggestions.
I havn't played about with it myself, hence the suggestions being a little sketchy! Playing with ftpd being chroot would require you to ssh in and change how it gets started up I believe.

Quote:

Originally posted by DanTup
While I'm at it, I CHMOD'd all my web folder to 0777 cos it's the only way I could get two users to be able to write into that folder. Is there another way?! I set up a group "webusers" and CHGRP'd the folders to them, but it would still only let the CHOWNer write into there :([/B]
You want to chown the group to webusers, then have the direcory as 770 and that should work. Remember that anyone with write permissions can erase the files in a directory even if they don't have permission to write to the sepcific file itself. You can avoid this by setting the 'sticky bit' on with chmod 1770. This will only allow users to erase files they own. You will probably also want to look into the default permissions (umask) that the files are created with. If user1 creates a file and you want user2 to be able to read it you want to make sure that its created with at least 640 permissions otherwise although user2 can see the file (due to dir permissions) they won't be able to read it... Sorry if I'm tell you stuff you already know here!

cheers.

Jamie...

DanTup 06-25-2001 08:11 AM

Quote:

Originally posted by jharris

If your file system permissions are good then you shouldn't have too much of a problem with them being able to get out anywhere dangerous anyway...

Well creating a new user has read access to the whole server :(

Quote:

Originally posted by jharris

I havn't played about with it myself, hence the suggestions being a little sketchy! Playing with ftpd being chroot would require you to ssh in and change how it gets started up I believe.

I don't have a clue how to do that, know where I might find some good docs?

Quote:

Originally posted by jharris

You want to chown the group to webusers, then have the direcory as 770 and that should work. Remember that anyone with write permissions can erase the files in a directory even if they don't have permission to write to the sepcific file itself. You can avoid this by setting the 'sticky bit' on with chmod 1770. This will only allow users to erase files they own. You will probably also want to look into the default permissions (umask) that the files are created with. If user1 creates a file and you want user2 to be able to read it you want to make sure that its created with at least 640 permissions otherwise although user2 can see the file (due to dir permissions) they won't be able to read it... Sorry if I'm tell you stuff you already know here!

Haha! That's it, I didn't CHMOD to 0770!!!

However, if I create a folder inside there, the default permissions don't let Steve access it, any idea how to set the default to 0770?

btw, I know with CHMOD it user, group, world, and 7 is write, but what other numbers can go in there?

Also, if I chmod to 0770, can other users (not in the group) read the files?

Thanks m8,

Danny

jharris 06-25-2001 08:41 AM

Quote:

Originally posted by DanTup
Well creating a new user has read access to the whole server :(
Uhm... sounds like you really want to lock down your permissions! As for the documentation sorry - dunno really! The usual RTFM chant for the man page might help...

Quote:

Originally posted by DanTup
Haha! That's it, I didn't CHMOD to 0770!!!

However, if I create a folder inside there, the default permissions don't let Steve access it, any idea how to set the default to 0770?

You creating these on the command line? If so then to default to 770 you would have 'umask 007' in one of you login files. To find out about the rest of the file mode (permissions) its best to read the man page. The sticky bit was originally used to keep common programs in memory in the days of old, the other ones are set UID and set GID bits (SUID/SGID) these make the process run asif it is being executed by the person who owns the file. For exampe a program owned by root yet executed by a 'normal' user is executed with the full blown permissions of root. There are others I think but dunno about them off the top of my head.

Quote:

Originally posted by DanTup
Also, if I chmod to 0770, can other users (not in the group) read the files?
If there not the owner or in the group then they will get hit by the 'world/other' permissions, hence won't be able to access it.

cheers.

Jamie...

DanTup 06-25-2001 08:54 AM

I found a nice page:

http://support.rackspace.com/cgi-bin...&130=945710545

Which helps.

Thanks for your help too,

Danny

jharris 06-25-2001 08:58 AM

Haveing just read that guide - make sure you only change the shell if your users don't need an interactive login on the server! Changing it to /bin/false will result in the user not being able to spawn a shell...

Jamie...

DanTup 06-25-2001 09:06 AM

They're only having ftp access (whether they like it or not!), no shell, so is it ok?

Also, I'm doing this all through webmin, so for the group thing, I went into Webmin / Servers / FTP / Users & Classes and typed "ftponly" in the Users & Groups to treat as guests. I sthat right? (I wasn't too sure about:

Quote:

Add a group called ftponly to the /etc/group file with the command:

groupadd ftponly



Add the line

guestgroup ftponly

to your /etc/ftpaccess file. You should also add guest to the list of users in the log transfers directive in the same file.
Thanks for all your time!

Danny

DanTup 06-25-2001 09:06 AM

eh?!

I don't have an "ftp" folder in /home

:(

It says copy ftp and bin over into their folder

???

DanTup 06-25-2001 09:43 AM

Well I skipped the copying bin and lib bit, and it seems to work fine, however I can't delete files out of that folder now!

I created a new folder and tried to delete it, and it just says denied!

I logged in as a normal user, and I now have access to that folder (usually I can't access another user's home dir), but I can't delete the folder!

Any ideas?!

Thanks,

Danny

jharris 06-25-2001 09:59 AM

If the ftp daemon doesn't internally implement the delete function then it will be trying to call /bin/rm - which won't exist if you haven't recreated the bin directory in the user's home dir... you might wanna copy /bin/ls and /bin/rm and mkdir etc into a bin dir for each user.

good luck

Jamie...

DanTup 06-25-2001 10:13 AM

So shall I just copy /bin and /lib into their folder?
Although it's giving Access Denied, not Command Not Found or anything...?

Doesn't copying mean there's two copies, and therefore if anything's ever updated in one, the other will be not-updated (yes, that's a word).

Also, I put the /./ on the end, and didn't seem to do anything (still gave them full access), it was only when I told it to treat the group ftponly as a guest that it gave that folder a "root" type-feeling. (And I tried setting permissions to allow Guest's to delete, thinking it might be that).

DanTup 06-25-2001 10:18 AM

Well for some reason it's letting me delete (and I didn't change anything), however whenever I log out and back in, I don't see any files! It's empty (but if I try creating a new folder, it says /New Folder already exists).

I guess it's chrooted, but I don't know why! (I didn't type chroot anywhere! But that's what I wanted anyway)

Any ideas?!

DanTup 06-25-2001 10:23 AM

ARGH!!!

:newbie:

Ok, I copied /bin to /home/test/bin and logged in as test, and it still just shows an empty listing! The folders must be there, co sit dies when I try to create a new folder called "New Folder" (as it already exists), but it's not showing up at all!!

:mad:


All times are GMT -5. The time now is 05:34 PM.