LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-06-2006, 10:12 AM   #1
afgs_uk
LQ Newbie
 
Registered: Nov 2006
Posts: 12

Rep: Reputation: 0
Question vsftpd (ftp) users can browse whole system. How can i disable this?


Hi, I have recently setup an FTP server both on Red Hat Enterprise Linux 4 and Fedora Core 6 with the same results. (not a distro problem)

I don't want to use anonymous ftp, i want users to be able to log in with passwords and private home directories that are readable by one company login (not root). I have achieved this by adding a user called "company" in the group "company"

My users can rwx in their home directory, and change directories up to root and then see everything.

*********** vsftpd.conf *************

[root@ftp vsftpd]# cat vsftpd.conf
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to COMPANY FTP Server
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

******************** END OF VSFTPD.CONF **************

contents of /home

[root@ftp home]# ls -tlr
total 4
drwxrwx--- 2 ftptest company 4096 Nov 3 17:11 ftptest

contents of /

[root@ftp /]# ls -ltr
total 138
drwxr-xr-x 2 root root 4096 Oct 10 23:06 srv
drwxr-xr-x 2 root root 4096 Oct 10 23:06 opt
drwxr-xr-x 2 root root 4096 Oct 10 23:06 mnt
drwxr-xr-x 2 root root 16384 Nov 3 13:20 lost+found
drwxr-xr-x 2 root root 4096 Nov 3 13:21 selinux
drwxr-xr-x 4 root root 1024 Nov 3 13:27 boot
drwxr-xr-x 23 root root 4096 Nov 3 13:31 var
drwxr-xr-x 2 root root 4096 Nov 3 13:35 media
drwxr-xr-x 125 root root 0 Nov 3 13:38 proc
drwxr-xr-x 11 root root 0 Nov 3 13:38 sys
drwxr-xr-x 2 root root 0 Nov 3 13:39 misc
drwxr-xr-x 2 root root 0 Nov 3 13:39 net
drwxr-xr-x 13 root root 3900 Nov 3 13:39 dev
drwxr-xr-x 14 root root 4096 Nov 3 14:51 lib
drwxr-xr-x 2 root root 4096 Nov 3 14:51 bin
drwxr-xr-x 2 root root 12288 Nov 3 14:51 sbin
drwxr-xr-x 16 root root 4096 Nov 3 16:50 usr
drwxr-xr-x 3 root root 4096 Nov 3 16:50 home
drwxr-xr-x 18 root root 4096 Nov 6 11:41 root
drwxr-xr-x 88 root root 4096 Nov 6 11:41 etc
drwxr-xr-x 11 root root 4096 Nov 6 11:45 tmp


If I login as user ftptest I can see my home directory and not other home directories with permissions 770, but if I give /home 770 I can't run .bash_profile.

How can I prevent the user ftptest browsing my entire system?

Should I be using something like /bin/rksh in /etc/passwd?


Thanks in advance.

Alex
 
Old 11-06-2006, 10:53 AM   #2
redir
Member
 
Registered: May 2004
Location: Virginia USA
Distribution: Debian_Ubuntu_FreeBSD
Posts: 122

Rep: Reputation: 16
Here is what i did. Creat a linux user and a home directory where you want this user to ftp files to. Then in your vsftp.conf you need:


# You may restrict local users to their home directories. See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
chroot_local_user=YES

This chroots your user to only there home directory. I believe this is called a chroot jail. This will not prevent the user from seeing other directories in an SSH however.
 
Old 11-06-2006, 11:19 AM   #3
afgs_uk
LQ Newbie
 
Registered: Nov 2006
Posts: 12

Original Poster
Rep: Reputation: 0
thanks, that worked but......

OK, so now when I try and browse in ftp session it fails (below)

ftp>
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 6 Nov 06 16:02 test
-rw-r--r-- 1 0 0 0 Nov 06 16:02 testing
226 Directory send OK.
ftp: 127 bytes received in 0.00Seconds 127000.00Kbytes/sec.
ftp> cd /usr/bin
550 Failed to change directory.
ftp>


***************

But how can i restrict them from trying ssh, if they realise it's a Linux server, if they're anything like me they'll try and have a nosy around.

Any ideas anyone?

I can restrict root from logging in remotely, can I do this for other users just for ssh ???
 
Old 11-06-2006, 11:53 AM   #4
redir
Member
 
Registered: May 2004
Location: Virginia USA
Distribution: Debian_Ubuntu_FreeBSD
Posts: 122

Rep: Reputation: 16
There is a patch for openSSH if that is what you are using. I've never used it so I don't know anything about it but here it is:

http://chrootssh.sourceforge.net/index.php


redir
 
Old 11-06-2006, 12:10 PM   #5
afgs_uk
LQ Newbie
 
Registered: Nov 2006
Posts: 12

Original Poster
Rep: Reputation: 0
thanks mate, i'll give it a bash
 
Old 11-08-2006, 07:29 AM   #6
afgs_uk
LQ Newbie
 
Registered: Nov 2006
Posts: 12

Original Poster
Rep: Reputation: 0
Lightbulb Problem solved - Simple explanation below

ftp users were sorted from above, but could still ssh and cd../../ and do a full listing and see all system directories etc etc

As the primary group for all my ftp users is ftp-users, in /etc/ssh/sshd_config I added the line

DenyGroups ftp-users

saved, restarted ssh daemon and Bob is now my uncle!

Thanks to redhat knowledge base article:

http://kbase.redhat.com/faq/FAQ_45_5990.shtm
 
Old 11-08-2006, 10:20 AM   #7
redir
Member
 
Registered: May 2004
Location: Virginia USA
Distribution: Debian_Ubuntu_FreeBSD
Posts: 122

Rep: Reputation: 16
Cool. I may have to give that a try...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
VSFTPD - users can browse up to root t3___ Linux - Software 1 12-10-2004 02:24 PM
One shared folder for multiple ftp users -- vsftpd rover Linux - Networking 0 06-17-2004 07:07 AM
Ftp users accessing other folder in VSFTPD VJD Linux - Networking 6 01-13-2004 07:16 AM
FTP only users for vsftpd. jsbush Linux - Newbie 2 10-27-2003 07:13 PM
Restricting FTP Users to their home dir in vsftpd ~ForgottenFlux~ Linux - Software 2 09-03-2003 08:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration