LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   [proftp]user has access to whole filesystem (https://www.linuxquestions.org/questions/linux-software-2/%5Bproftp%5Duser-has-access-to-whole-filesystem-441776/)

Wim Sturkenboom 05-05-2006 12:52 AM

[proftp]user has access to whole filesystem
 
I have recently setup a SLackware10.1 box running proftpd. proftpd is started by inetd.
The system has one normal user. This user has (for some reason) ftp access (at least read) to the whole file system.
This is not the intention and I like to know how to solve this.

Reading up tells me to chroot the user to his home directory. Also, searching this forum refers to chroot.
I've added the bold lines to proftpd.conf and restarted inetd (I assumed that that's necessary as proftpd started by inetd).
Code:

# This is a basic ProFTPD configuration file.
# It establishes a single server and a single anonymous login.
# It assumes that you have a user/group "nobody" and "ftp"
# for normal/anonymous operation.

ServerName                      "ProFTPD Default Installation"
#ServerType                    standalone
ServerType                      inetd
DefaultServer                  on

# Port 21 is the standard FTP port.
Port                            21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                          022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances                    30

# Set the user and group that the server normally runs at.
User                            nobody
Group                          nogroup

# This next option is required for NIS or NIS+ to work properly:
#PersistentPasswd off

SystemLog                      /var/log/proftpd.log
TransferLog                    /var/log/xferlog

# Normally, we want files to be overwriteable.
<Directory /*>
  AllowOverwrite                on
</Directory>

#WimS
<VirtualHost btd-techweb01.mca.naspers.dom>
DefaultRoot ~
</VirtualHost>


# A basic anonymous FTP server configuration.
# To enable this, remove the user ftp from /etc/ftpusers.
<Anonymous ~ftp>
  RequireValidShell            off
  User                          ftp
  Group                        ftp
  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias                    anonymous ftp

  # Limit the maximum number of anonymous logins
  MaxClients                    50

  # We want 'welcome.msg' displayed at login, and '.message' displayed
  # in each newly chdired directory.
  DisplayLogin                  welcome.msg
  DisplayFirstChdir            .message

  # Limit WRITE everywhere in the anonymous chroot
  <Limit WRITE>
    DenyAll
  </Limit>

  # An upload directory that allows storing files but not retrieving
  # or creating directories.
#  <Directory incoming/*>
#    <Limit READ>
#      DenyAll
#    </Limit>
#
#    <Limit STOR>
#      AllowAll
#    </Limit>
#  </Directory>

</Anonymous>

This does not seem to do the trick. It also does not make sense to me as I don't want a virtual host. Seeing the word 'DefaultRoot' then also does not make sense, it's just the default.

So how can I limit user access? Thanks in advance

PS 1
The user only belongs to group users
PS 2
I ran Slackware 10.0 before with proftp and can't remember that I had this problem (stock standard worked as far as I can remember).

bathory 05-05-2006 02:13 AM

Remove the <VirtualHost...> and </VirtualHost> lines since you don't need them and change DefaultRoot to:
Code:

DefaultRoot ~/
I guess the user's homedir is /home/userid and not /

Wim Sturkenboom 05-08-2006 07:57 AM

Tnanks. I however kept the DefaultRoot as was and that works as well.


All times are GMT -5. The time now is 09:11 AM.