FTP Users are able to Traverse directories up to the root of my server
Hi Have put together a Redhat Linux 9 Machine, in order to run a web site.
I am currently trying to work out how I can allow certain users to FTP into the website and update certain areas, but not have access to all areas.
The FTP client running is vsftpd, to which I have been able to perform anonymous logins, getting to /var/ftp/pub (and only view pub, and not traverse up directories).
I have also been able to setup users, with Home Drives, that I am able to FTP into the Home Drives.
It is this that causes the problem. When I FTP in I am able to navigate my way right up to the root of the server, and then navigate my way around the server.
I would like to know how to stop this navigation upwards from the point that you log in?
I did try restricting permissions on other folders, but ended up having to reinstall from scratch!
P.S. I apologise if this has already been asked elsewhere in the lists.
Your looking for chroot... man chroot for more details.
Can you specify which exactly the problem?
Does this problem occurs only when you log in as anonymous or when you log in as a guest user or both?
I can help you because I run vsftps as well. I think your problem is related to chroot, so you must configure vsftpd.conf to chroot users to their home directory. And you must check that home directories are specified as follow in "/etc/passwd":
user: passwd:number:number:User description:/home/user directory/./:/bin/false
Itīs very important to add "./" at the end of users home directories to prompt users at their directories and canīt go up to parents ones. And itīs very important to add "/bin/false" as well.
Then you must check that "/bin/false" is included in the file "shells" in etc directory.
Thanks guys, you are brilliant!
In the end, I found a reference on the net to add chroot_local_user=YES to my vsftpd.conf file and also added the /./ to the Home Directory in /etc/passwd as mentioned by ilpadrino
I was struggling to find a sample file for the /etc/vsftpd.chroot_list after enabling chroot_list_enable=YES, but the post on the net answered this with the line above.
Thanks again for pointing me towards chroot......
Root Login via SFTP: How to set it up
I found this thread in searching for a way to sftp into my server as 'root'. I just got a dedicated from serverbeach running Redhat 9 with cPanel but I'm not an admin - I know enough basics to 'manage' a FreeBSD server (enough to be dangerous) without a control panel. I've had a site up through Verio since 1996 - a 'virtual server' running FreeBSD and this was never an issue.
I fully understand this is a security issue.
A fellow is doing the basic initial setup for me and whilst I'm not particularly adverse to telnet and the command line, for some things it's just simpler for me to graphically see the files in a window, be able to change permissions eaasily and simply and such.
From what I can tell this was possible back in version 7. I found this at redhat:
It sounds like it can be enabled. The below is from 7, but from the link above it appears it may still be applicable.
This file lists all the users that are not allowed to FTP into your machine. For example, root is listed in /etc/ftpusers by default. That means that you cannot FTP to your machine and log in as root. This is a good security measure, but some administrators prefer to remove root from this file.
I don't want anonymous ftp access at all.
Have any of you folks set up redhat 9 for ftp or sftp as root or know how?
It seems to me that what you are looking to do is to be able to gain full access to your server from afar- may I suggent a much more secure approach? How about ssh & scp & rsync ??
--SSH allows encrypted communication (secure shell) - with an ssh server running you can gain full terminal access to your remote machine- run programs as rioot, start and stop processes etc.- you can be securely logged in - you choose whether to live with encrypted password authentication or the more secure public/private keys.
--SCP uses the SSH encryption to move a limited number of files
--rsync -ave ssh [from] [to] allows you to move lrger data sets (it is slower than a direct FTP connection, but more secure)-
I have had FTP access abused on several servers and DO NOT recommend it for anything except controlled use on isolated boxes-- trust me, the frustrations of getting ssh up and running are far more palatable than a cracked machine & FTP is very, very hard to make secure-
Yes - the idea was/is to be able to ftp or sftp into a 'dedicated server' like I have on my FreeBSD server I set it up in 1997-8. Since there's only me on it, the issue is really limited to someone 'cracking' the password to get in - I think.
I don't want to run programs or such. It's so easy to go in via ftp and say download apache's config file, edit it on my Mac, rename the file on the server (I append a date so I know what file I had until a given date) and re-upload the changed file.
I also am learning the Linux directory structure.
I guess I'll have to learn vi and such to edit online and get ready to dive back in the command line mentality.
Your advice is appreciated. I will probably abandon the idea, but then again as I said earlier I've been on a FreeBSD box for years, always had root sftp access and never had a problem.
I'm new to a lot of this stuff - I just maintain my own server, I'm not a knowledgable admin. And I'm totally new to Linux. I'll check out SCP and rsync -ave ssh
Again, many thanks for the advice!
|All times are GMT -5. The time now is 10:31 AM.|