Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
06-25-2001, 05:50 AM
|
#1
|
LQ Newbie
Registered: Jun 2001
Posts: 13
Rep:
|
Webmin & FTP!?!?!
Hi!
I'm using Webmin and having some problems (and Webmin docs don't seem to be very, um, existent!).
Anyway, when I create a new user through webmin, I want them only to have access to /home/theirdir, but right now, then can just go up the tree to / and even /etc!
Does anyone know how to stop this?
Thanks very much.
Danny
ps. Just a shameless plug, http://MyBest50.com are offering FREE month's listings to everyone, so check it out ( http://mybest50.com/freemonth.php)
|
|
|
06-25-2001, 07:34 AM
|
#2
|
Senior Member
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243
Rep:
|
I think that you will need to make ftpd chroot when the user accesses it... I think the documentation you want to look at isn't webmins' but the man page for your ftp daemon. Unfortunately I can't be more specific... what FTP daemon are you using?
cheers.
Jamie...
|
|
|
06-25-2001, 07:43 AM
|
#3
|
LQ Newbie
Registered: Jun 2001
Posts: 13
Original Poster
Rep:
|
wu-ftpd.
I just want to stop them getting anywhere outside of /home/username.
I don't know much about it, but I have access to Webmin and via SSH, so I'd appreciate any suggestions.
While I'm at it, I CHMOD'd all my web folder to 0777 cos it's the only way I could get two users to be able to write into that folder. Is there another way?! I set up a group "webusers" and CHGRP'd the folders to them, but it would still only let the CHOWNer write into there
TIA,
Danny
|
|
|
06-25-2001, 08:01 AM
|
#4
|
Senior Member
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243
Rep:
|
Quote:
Originally posted by DanTup
wu-ftpd.
I just want to stop them getting anywhere outside of /home/username.
|
If your file system permissions are good then you shouldn't have too much of a problem with them being able to get out anywhere dangerous anyway...
Quote:
Originally posted by DanTup
I don't know much about it, but I have access to Webmin and via SSH, so I'd appreciate any suggestions.
|
I havn't played about with it myself, hence the suggestions being a little sketchy! Playing with ftpd being chroot would require you to ssh in and change how it gets started up I believe.
Quote:
Originally posted by DanTup
While I'm at it, I CHMOD'd all my web folder to 0777 cos it's the only way I could get two users to be able to write into that folder. Is there another way?! I set up a group "webusers" and CHGRP'd the folders to them, but it would still only let the CHOWNer write into there [/B]
|
You want to chown the group to webusers, then have the direcory as 770 and that should work. Remember that anyone with write permissions can erase the files in a directory even if they don't have permission to write to the sepcific file itself. You can avoid this by setting the 'sticky bit' on with chmod 1770. This will only allow users to erase files they own. You will probably also want to look into the default permissions (umask) that the files are created with. If user1 creates a file and you want user2 to be able to read it you want to make sure that its created with at least 640 permissions otherwise although user2 can see the file (due to dir permissions) they won't be able to read it... Sorry if I'm tell you stuff you already know here!
cheers.
Jamie...
|
|
|
06-25-2001, 08:11 AM
|
#5
|
LQ Newbie
Registered: Jun 2001
Posts: 13
Original Poster
Rep:
|
Quote:
Originally posted by jharris
If your file system permissions are good then you shouldn't have too much of a problem with them being able to get out anywhere dangerous anyway...
|
Well creating a new user has read access to the whole server
Quote:
Originally posted by jharris
I havn't played about with it myself, hence the suggestions being a little sketchy! Playing with ftpd being chroot would require you to ssh in and change how it gets started up I believe.
|
I don't have a clue how to do that, know where I might find some good docs?
Quote:
Originally posted by jharris
You want to chown the group to webusers, then have the direcory as 770 and that should work. Remember that anyone with write permissions can erase the files in a directory even if they don't have permission to write to the sepcific file itself. You can avoid this by setting the 'sticky bit' on with chmod 1770. This will only allow users to erase files they own. You will probably also want to look into the default permissions (umask) that the files are created with. If user1 creates a file and you want user2 to be able to read it you want to make sure that its created with at least 640 permissions otherwise although user2 can see the file (due to dir permissions) they won't be able to read it... Sorry if I'm tell you stuff you already know here!
|
Haha! That's it, I didn't CHMOD to 0770!!!
However, if I create a folder inside there, the default permissions don't let Steve access it, any idea how to set the default to 0770?
btw, I know with CHMOD it user, group, world, and 7 is write, but what other numbers can go in there?
Also, if I chmod to 0770, can other users (not in the group) read the files?
Thanks m8,
Danny
|
|
|
06-25-2001, 08:41 AM
|
#6
|
Senior Member
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243
Rep:
|
Quote:
Originally posted by DanTup
Well creating a new user has read access to the whole server
|
Uhm... sounds like you really want to lock down your permissions! As for the documentation sorry - dunno really! The usual RTFM chant for the man page might help...
Quote:
Originally posted by DanTup
Haha! That's it, I didn't CHMOD to 0770!!!
However, if I create a folder inside there, the default permissions don't let Steve access it, any idea how to set the default to 0770?
|
You creating these on the command line? If so then to default to 770 you would have 'umask 007' in one of you login files. To find out about the rest of the file mode (permissions) its best to read the man page. The sticky bit was originally used to keep common programs in memory in the days of old, the other ones are set UID and set GID bits (SUID/SGID) these make the process run asif it is being executed by the person who owns the file. For exampe a program owned by root yet executed by a 'normal' user is executed with the full blown permissions of root. There are others I think but dunno about them off the top of my head.
Quote:
Originally posted by DanTup
Also, if I chmod to 0770, can other users (not in the group) read the files?
|
If there not the owner or in the group then they will get hit by the 'world/other' permissions, hence won't be able to access it.
cheers.
Jamie...
|
|
|
06-25-2001, 08:58 AM
|
#8
|
Senior Member
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243
Rep:
|
Haveing just read that guide - make sure you only change the shell if your users don't need an interactive login on the server! Changing it to /bin/false will result in the user not being able to spawn a shell...
Jamie...
|
|
|
06-25-2001, 09:06 AM
|
#9
|
LQ Newbie
Registered: Jun 2001
Posts: 13
Original Poster
Rep:
|
They're only having ftp access (whether they like it or not!), no shell, so is it ok?
Also, I'm doing this all through webmin, so for the group thing, I went into Webmin / Servers / FTP / Users & Classes and typed "ftponly" in the Users & Groups to treat as guests. I sthat right? (I wasn't too sure about :
Quote:
Add a group called ftponly to the /etc/group file with the command:
groupadd ftponly
Add the line
guestgroup ftponly
to your /etc/ftpaccess file. You should also add guest to the list of users in the log transfers directive in the same file.
|
Thanks for all your time!
Danny
|
|
|
06-25-2001, 09:06 AM
|
#10
|
LQ Newbie
Registered: Jun 2001
Posts: 13
Original Poster
Rep:
|
eh?!
I don't have an "ftp" folder in /home
It says copy ftp and bin over into their folder
???
|
|
|
06-25-2001, 09:43 AM
|
#11
|
LQ Newbie
Registered: Jun 2001
Posts: 13
Original Poster
Rep:
|
Well I skipped the copying bin and lib bit, and it seems to work fine, however I can't delete files out of that folder now!
I created a new folder and tried to delete it, and it just says denied!
I logged in as a normal user, and I now have access to that folder (usually I can't access another user's home dir), but I can't delete the folder!
Any ideas?!
Thanks,
Danny
|
|
|
06-25-2001, 09:59 AM
|
#12
|
Senior Member
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243
Rep:
|
If the ftp daemon doesn't internally implement the delete function then it will be trying to call /bin/rm - which won't exist if you haven't recreated the bin directory in the user's home dir... you might wanna copy /bin/ls and /bin/rm and mkdir etc into a bin dir for each user.
good luck
Jamie...
|
|
|
06-25-2001, 10:13 AM
|
#13
|
LQ Newbie
Registered: Jun 2001
Posts: 13
Original Poster
Rep:
|
So shall I just copy /bin and /lib into their folder?
Although it's giving Access Denied, not Command Not Found or anything...?
Doesn't copying mean there's two copies, and therefore if anything's ever updated in one, the other will be not-updated (yes, that's a word).
Also, I put the /./ on the end, and didn't seem to do anything (still gave them full access), it was only when I told it to treat the group ftponly as a guest that it gave that folder a "root" type-feeling. (And I tried setting permissions to allow Guest's to delete, thinking it might be that).
|
|
|
06-25-2001, 10:18 AM
|
#14
|
LQ Newbie
Registered: Jun 2001
Posts: 13
Original Poster
Rep:
|
Well for some reason it's letting me delete (and I didn't change anything), however whenever I log out and back in, I don't see any files! It's empty (but if I try creating a new folder, it says /New Folder already exists).
I guess it's chrooted, but I don't know why! (I didn't type chroot anywhere! But that's what I wanted anyway)
Any ideas?!
|
|
|
06-25-2001, 10:23 AM
|
#15
|
LQ Newbie
Registered: Jun 2001
Posts: 13
Original Poster
Rep:
|
ARGH!!!
Ok, I copied /bin to /home/test/bin and logged in as test, and it still just shows an empty listing! The folders must be there, co sit dies when I try to create a new folder called "New Folder" (as it already exists), but it's not showing up at all!!
|
|
|
All times are GMT -5. The time now is 04:07 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|