Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm setting up my first Linux Fedora box and noticed that my test user account can view the root dir in addition to the home dir. I'm using SFTP to connect to it. How do I limit the user to the home directory?
The first line tells vsftpd to limit (chroot) the local users (users on the system) to their own home directories.
The second line tells vsftpd that there are exceptions to the above rule.
The third line specifies the file in which the exceptions (users who should NOT be chrooted) are listed.
Unfortunately, that didn't work and I don't know why. This is a brand new installation of Fedora. Prior to installing the vsftd package, I was able to sftp into it and ran into this problem. I thought that installing vsftd would fix it but it didn't.
Is there somewhere else I should look or something else I should change?
My client machine is running OSX 10.4 and is using Cyberduck to SFTP into my Fedora box.
sftp is actually unrelated to vsftpd (or any other FTP server for that matter).
sftp is part of the ssh subsystem (and so is scp), and hence unrelated to any FTP server.
The modifications to vsftpd will ensure that all users are restricted to their home directories when they FTP to the server.
If you want to restrict a user to only their home directory while using sftp, you will probably want to first restrict the user to their home dir (when they login to a shell via ssh / console).
To do this, you will want to change the users shell to /bin/rbash .
One way to do this is:
1. cd /bin; ln -s bash rbash
2. edit /etc/shells, and add a line /etc/rbash at the end.
3. usermod -s /bin/rbash -d /home/username/./ username
This way, you're actually restricting the user from moving out of his / her home directory while logging into the machine itself. sftp should now restrict the user to his / her home directory.
I reallllly appreciate you taking the time out with this. I did exactly what you said and I can no longer successfully log into the server. I get this error:
SSH Error: Listing directory failed
/home/username
The SFTP Subsystem could not be initialized
In the User Manager, the Login Shell for the account is /bin/rbash and the Home Directory is /home/username/./
However, when I change the Login Shell back to /bin/bash I can log in, but I still can see the root directory. *shrug* Any thoughts?
hmmm... i just simulated the same on a CentOS 4.4 box and WinSCP as client (using only the sftp protocol) and i couldn't login as well. Quite strange actually.
I was very much able to login via scp while being restricted to just my home directory. Checked with a regular ssh as well, and i still couldn't get out of my home directory. So the method works perfectly, but just not with SFTP.
Very strange! sftp and scp are both part of the ssh subsystem. I believed they behave identically.. Guess I was wrong in that belief. My apologies!
Till someone is able to figure this one out, perhaps you might want to consider using SCP instead of SFTP (both are equally secure) keeping the recommendations from the last post intact.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.