LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Password
Red Hat This forum is for the discussion of Red Hat Linux.

Notices

Reply
 
Search this Thread
Old 10-08-2003, 11:32 AM   #1
stingay
LQ Newbie
 
Registered: Oct 2003
Posts: 2

Rep: Reputation: 0
FTP Users are able to Traverse directories up to the root of my server


Hi Have put together a Redhat Linux 9 Machine, in order to run a web site.

I am currently trying to work out how I can allow certain users to FTP into the website and update certain areas, but not have access to all areas.

The FTP client running is vsftpd, to which I have been able to perform anonymous logins, getting to /var/ftp/pub (and only view pub, and not traverse up directories).

I have also been able to setup users, with Home Drives, that I am able to FTP into the Home Drives.

It is this that causes the problem. When I FTP in I am able to navigate my way right up to the root of the server, and then navigate my way around the server.

I would like to know how to stop this navigation upwards from the point that you log in?


I did try restricting permissions on other folders, but ended up having to reinstall from scratch!

Thanks

Steve

P.S. I apologise if this has already been asked elsewhere in the lists.
 
Old 10-08-2003, 01:24 PM   #2
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 199Reputation: 199
Your looking for chroot... man chroot for more details.
 
Old 10-09-2003, 05:25 AM   #3
ilpadrino
Member
 
Registered: Oct 2003
Location: Spain
Distribution: Fedora
Posts: 104

Rep: Reputation: 15
Can you specify which exactly the problem?

Does this problem occurs only when you log in as anonymous or when you log in as a guest user or both?

I can help you because I run vsftps as well. I think your problem is related to chroot, so you must configure vsftpd.conf to chroot users to their home directory. And you must check that home directories are specified as follow in "/etc/passwd":

user: passwd:number:number:User description:/home/user directory/./:/bin/false

i.e: tom:63gfgg63vf:0:10:Thegreatgod:/home/tom/./:/bin/false

Itīs very important to add "./" at the end of users home directories to prompt users at their directories and canīt go up to parents ones. And itīs very important to add "/bin/false" as well.

Then you must check that "/bin/false" is included in the file "shells" in etc directory.

Greetings
 
Old 10-09-2003, 09:26 AM   #4
stingay
LQ Newbie
 
Registered: Oct 2003
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks guys, you are brilliant!

In the end, I found a reference on the net to add chroot_local_user=YES to my vsftpd.conf file and also added the /./ to the Home Directory in /etc/passwd as mentioned by ilpadrino


I was struggling to find a sample file for the /etc/vsftpd.chroot_list after enabling chroot_list_enable=YES, but the post on the net answered this with the line above.

Thanks again for pointing me towards chroot......


Cheers

Steve
 
Old 10-24-2003, 02:43 AM   #5
Marc Smith
LQ Newbie
 
Registered: Oct 2003
Location: Cincy, OH - US
Distribution: Redhat 9
Posts: 2

Rep: Reputation: 0
Root Login via SFTP: How to set it up

I found this thread in searching for a way to sftp into my server as 'root'. I just got a dedicated from serverbeach running Redhat 9 with cPanel but I'm not an admin - I know enough basics to 'manage' a FreeBSD server (enough to be dangerous) without a control panel. I've had a site up through Verio since 1996 - a 'virtual server' running FreeBSD and this was never an issue.

I fully understand this is a security issue.

A fellow is doing the basic initial setup for me and whilst I'm not particularly adverse to telnet and the command line, for some things it's just simpler for me to graphically see the files in a window, be able to change permissions eaasily and simply and such.

From what I can tell this was possible back in version 7. I found this at redhat:

http://www.redhat.com/docs/manuals/l...erver-ftp.html

It sounds like it can be enabled. The below is from 7, but from the link above it appears it may still be applicable.

/etc/ftpusers
This file lists all the users that are not allowed to FTP into your machine. For example, root is listed in /etc/ftpusers by default. That means that you cannot FTP to your machine and log in as root. This is a good security measure, but some administrators prefer to remove root from this file.
http://www.redhat.com/docs/manuals/l...admin-ftp.html

I don't want anonymous ftp access at all.

Have any of you folks set up redhat 9 for ftp or sftp as root or know how?
 
Old 10-24-2003, 09:09 PM   #6
mcm77
LQ Newbie
 
Registered: May 2003
Location: Massachusetts
Distribution: Red Hat
Posts: 5

Rep: Reputation: 0
Marc-
It seems to me that what you are looking to do is to be able to gain full access to your server from afar- may I suggent a much more secure approach? How about ssh & scp & rsync ??

--SSH allows encrypted communication (secure shell) - with an ssh server running you can gain full terminal access to your remote machine- run programs as rioot, start and stop processes etc.- you can be securely logged in - you choose whether to live with encrypted password authentication or the more secure public/private keys.

--SCP uses the SSH encryption to move a limited number of files

--rsync -ave ssh [from] [to] allows you to move lrger data sets (it is slower than a direct FTP connection, but more secure)-


I have had FTP access abused on several servers and DO NOT recommend it for anything except controlled use on isolated boxes-- trust me, the frustrations of getting ssh up and running are far more palatable than a cracked machine & FTP is very, very hard to make secure-

michael
 
Old 10-25-2003, 03:22 AM   #7
Marc Smith
LQ Newbie
 
Registered: Oct 2003
Location: Cincy, OH - US
Distribution: Redhat 9
Posts: 2

Rep: Reputation: 0
Yes - the idea was/is to be able to ftp or sftp into a 'dedicated server' like I have on my FreeBSD server I set it up in 1997-8. Since there's only me on it, the issue is really limited to someone 'cracking' the password to get in - I think.

I don't want to run programs or such. It's so easy to go in via ftp and say download apache's config file, edit it on my Mac, rename the file on the server (I append a date so I know what file I had until a given date) and re-upload the changed file.

I also am learning the Linux directory structure.

I guess I'll have to learn vi and such to edit online and get ready to dive back in the command line mentality.

Your advice is appreciated. I will probably abandon the idea, but then again as I said earlier I've been on a FreeBSD box for years, always had root sftp access and never had a problem.

I'm new to a lot of this stuff - I just maintain my own server, I'm not a knowledgable admin. And I'm totally new to Linux. I'll check out SCP and rsync -ave ssh

Again, many thanks for the advice!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP virtual users with different home directories remi Linux - Software 14 07-27-2009 11:20 AM
FTP users prevent browsing to other directories mephesto Linux - Software 2 05-07-2005 10:03 AM
FTP Server Up and running... how do I hide ftp users from local login screen? joe1031 Mandriva 2 03-18-2005 04:24 PM
how can I restrict ftp users listing files from a pure-ftp server adrianmak Linux - Networking 2 12-31-2002 08:23 AM
Havin trouble allowing FTP users to access files and directories bripage Linux - Networking 9 04-15-2002 03:54 PM


All times are GMT -5. The time now is 07:51 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration