LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-11-2007, 07:04 PM   #1
Arkayne
LQ Newbie
 
Registered: Jan 2007
Posts: 4

Rep: Reputation: 0
Configured vsftd and sftp user can see root dir.


I'm setting up my first Linux Fedora box and noticed that my test user account can view the root dir in addition to the home dir. I'm using SFTP to connect to it. How do I limit the user to the home directory?

Last edited by Arkayne; 01-12-2007 at 11:15 AM.
 
Old 01-12-2007, 01:00 AM   #2
osdeals
Member
 
Registered: Jul 2006
Distribution: RHEL, CentOS, PuppyLinux, SuSe, Ubuntu, Debian
Posts: 59

Rep: Reputation: 15
You will want to add the following lines to your /etc/vsftpd/vsftpd.conf

chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

The first line tells vsftpd to limit (chroot) the local users (users on the system) to their own home directories.
The second line tells vsftpd that there are exceptions to the above rule.
The third line specifies the file in which the exceptions (users who should NOT be chrooted) are listed.

Hope that helps.
 
Old 01-12-2007, 11:15 AM   #3
Arkayne
LQ Newbie
 
Registered: Jan 2007
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks osdeals,

Unfortunately, that didn't work and I don't know why. This is a brand new installation of Fedora. Prior to installing the vsftd package, I was able to sftp into it and ran into this problem. I thought that installing vsftd would fix it but it didn't.

Is there somewhere else I should look or something else I should change?

My client machine is running OSX 10.4 and is using Cyberduck to SFTP into my Fedora box.

Last edited by Arkayne; 01-12-2007 at 11:21 AM.
 
Old 01-12-2007, 09:27 PM   #4
osdeals
Member
 
Registered: Jul 2006
Distribution: RHEL, CentOS, PuppyLinux, SuSe, Ubuntu, Debian
Posts: 59

Rep: Reputation: 15
sftp is actually unrelated to vsftpd (or any other FTP server for that matter).

sftp is part of the ssh subsystem (and so is scp), and hence unrelated to any FTP server.

The modifications to vsftpd will ensure that all users are restricted to their home directories when they FTP to the server.

If you want to restrict a user to only their home directory while using sftp, you will probably want to first restrict the user to their home dir (when they login to a shell via ssh / console).

To do this, you will want to change the users shell to /bin/rbash .

One way to do this is:
1. cd /bin; ln -s bash rbash
2. edit /etc/shells, and add a line /etc/rbash at the end.
3. usermod -s /bin/rbash -d /home/username/./ username

This way, you're actually restricting the user from moving out of his / her home directory while logging into the machine itself. sftp should now restrict the user to his / her home directory.

Hope this helps.
 
Old 01-13-2007, 11:42 AM   #5
Arkayne
LQ Newbie
 
Registered: Jan 2007
Posts: 4

Original Poster
Rep: Reputation: 0
I reallllly appreciate you taking the time out with this. I did exactly what you said and I can no longer successfully log into the server. I get this error:

SSH Error: Listing directory failed
/home/username
The SFTP Subsystem could not be initialized

In the User Manager, the Login Shell for the account is /bin/rbash and the Home Directory is /home/username/./

However, when I change the Login Shell back to /bin/bash I can log in, but I still can see the root directory. *shrug* Any thoughts?
 
Old 01-14-2007, 09:29 PM   #6
osdeals
Member
 
Registered: Jul 2006
Distribution: RHEL, CentOS, PuppyLinux, SuSe, Ubuntu, Debian
Posts: 59

Rep: Reputation: 15
hmmm... i just simulated the same on a CentOS 4.4 box and WinSCP as client (using only the sftp protocol) and i couldn't login as well. Quite strange actually.

I was very much able to login via scp while being restricted to just my home directory. Checked with a regular ssh as well, and i still couldn't get out of my home directory. So the method works perfectly, but just not with SFTP.

Very strange! sftp and scp are both part of the ssh subsystem. I believed they behave identically.. Guess I was wrong in that belief. My apologies!

Till someone is able to figure this one out, perhaps you might want to consider using SCP instead of SFTP (both are equally secure) keeping the recommendations from the last post intact.

A good SCP / SFTP client for MacOS X would be http://rsug.itd.umich.edu/software/fugu/

My passwd file shows "testuser:x:504:100::/home/testuser/./:/bin/rbash" , and it worked perfectly with SCP & SSH.

Hope that helps.
 
Old 01-15-2007, 01:10 AM   #7
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Ubuntu 12.04, Antix19.3
Posts: 3,797

Rep: Reputation: 282Reputation: 282Reputation: 282
As an alternative to SFTP, you can setup vsftpd to use secure connections.
See Linux homeserver howto, chapter 14 FTP server.
Not sure which client can handle it on OSX.
 
Old 01-16-2007, 03:47 PM   #8
Arkayne
LQ Newbie
 
Registered: Jan 2007
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Wim Sturkenboom
As an alternative to SFTP, you can setup vsftpd to use secure connections.
See Linux homeserver howto, chapter 14 FTP server.
Not sure which client can handle it on OSX.
I'll have to give this a try. In the meanwhile, is it really that difficult to limit sftp users to their home directory?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't delete a dir!?!?! Even as root??? yanik Linux - Software 9 07-05-2007 01:41 AM
user home dir doesn't create when new user add dev_mohamed Linux - Software 3 01-12-2007 01:08 AM
vsftd log format tommytomato Fedora 0 09-14-2004 12:28 AM
Need help setting up vsftd on Fedora (no route to host) Arodef Linux - Networking 3 08-24-2004 03:18 AM
cant resize root thru rescue, auto mounts root dir absolutal Linux - Newbie 0 06-18-2003 03:06 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration