I have Fedora Core 1 running on my linux box.
It allows several users to connect to it via SSH, and FTP (service is vsftpd and sshd).

1st Question.

I manged to lock the users in their home directory on the FTP server. By changing the passwd and vsftpd.conf file.
This works nicley for the ftp, but when they use their username and password to log in via SSH, they still can change to the root and all other dirs.
Is it also possible to lock users in their home dir when the connect via SSH ?



2nd Question:

Say there are 3 users on my system, userA, userB and FTPuser.
userA's homedir is /home/usera, the same for userb (/home/userb) and the ftpuser (/home/ftpuser)

All users are locked into their homedir's. This is tested and works fine.
Now I want to set the /home/ftpuser to be a general (shared) directory. So userA and UserB can change to that specific directory, without the need of logging back in with a different username.
I've made a symbolic link in the userA and userB's homedir to the /home/ftpuser folder, assigned the right userrights. But (offcourse) the user can't change to the folder, because the vsftpd.conf & passwd file tells them to be locked in their homedir.

Is there any way to solve this ? So userA and userB are locked in their homedir, but still can change to that specific (/home/ftpuser) directory ?



Tnx in advance...

Question 1:

You can lock them in their home directories, but only with a lot of hassle getting a chrooted environment set up. That means that you would have to copy ever program, file, and library that those users would need to use somewhere within their home directory. This would be a lot of stuff and it would have to be done for each user you want to chroot. Plus a lot of software likes having access to the etc directory for system-wide configuration files and such (though this is usually not a strict requirement for running it). Incidentally, this is doable in FTP because FTP uses only a few programs (e.g. ls, rm) to do its thing, and it has special statically linked versions of those programs so it doesn't have to have copies of all the libraries they would normally need.

I'm not even sure how one would get the OpenSSH server to handle the chroot -- I'm sure there's a way though, or one could be developed with a bit of effort. The question is why exactly you want to do this. Giving users access to the whole filesystem is generally not a hole unless permissions are not set correctly elsewhere. You may also wish to ask yourself whether these users really need shell access at all, in which case you can simply limit them to FTP access only and the problem is solved.

Question 2:

Try making a hard link instead of a soft (symbolic) link. It works for sockets at least, and should work for directories.

Q2: try "mount" instead of "ln", because ln wount let you out of chroot

http://www.sublimation.org/scponly

may have an answer.

Well, about Q2:
Hard links don't work on Directory's... so how should I fix this ?

create a common ftp group, put a and b in that group, assign group rights to ftpgroup to your ftp directory...

Wrt to OpenSSH, there's a chroot patch for that, but YMMV getting it to work. Search the Security References or Sourceforge for it.