LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   FTP users are jailed to home dir (https://www.linuxquestions.org/questions/linux-server-73/ftp-users-are-jailed-to-home-dir-535688/)

ride153 03-08-2007 09:32 AM
FTP users are jailed to home dir
 
have an issue with proftpd on my pclinuxos server.

I can login via ftp fine but im locked to my home directory. i looked at my proftpd.conf file but didn't see anything related to that..

anyone know how this is setup?

Code:
cat proftpd.conf
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName "ProFTPD Default Installation"
ServerType                      standalone
DefaultServer                  on

# Allow FTP resuming.
# Remember to set to off if you have an incoming ftp for upload.
AllowStoreRestart on

# Port 21 is the standard FTP port.
Port 21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                          022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances                    30

# Set the user and group under which the server will run.
User                            nobody
Group                          nogroup

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
# DefaultRoot /

# Normally, we want files to be overwriteable.
AllowOverwrite          on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
  DenyAll
</Limit>
# Needed for NIS.

PersistentPasswd off

# Default root can be used to put users in a chroot environment.
# As an example if you have a user foo and you want to put foo in /home/foo
# chroot environment you would do this:
#
DefaultRoot /home/rt rt
DefaultRoot /home/jt jt
DefaultRoot /home/user user

#drakwizard_proftpd
<Global>
  <Limit LOGIN>
    Order allow,deny
    Allow from all
    Deny from all
  </Limit>
</Global>
#drakwizard_proftpd

ServerAdmin
RootLogin on
AllowForeignAddress off
AllowRetrieveRestart on
DefaultRoot ~
DirFakeUser off nobody
LogFormat auth "%v [%P] %h %t "%r" %s"
Extendedlog /var/log/proftpd/ftp.log
UseReverseDNS off
LogFormat default "%h %l %u %t "%r" %s %b"
SystemLog /var/log/proftpd/proftpd.log
DisplayConnect /etc/banner-proftpd
DirFakeGroup off nobody
DeleteAbortedStores off
IdentLookups off
DeferWelcome on
TimesGMT off
TransferLog /var/log/proftpd/xferlog
AccessGrantMsg " -- Guest access granted for %u --"
ServerIdent off
LogFormat write "%h %l %u %t "%r" %s %b"
AccessDenyMsg " !-!! ACCESS DENY !!-! SEEMS YOU HAVE NO RIGHT THERE !!"
ShowSymlinks on

nx5000 03-08-2007 09:41 AM
Quote:
# Default root can be used to put users in a chroot environment.
# As an example if you have a user foo and you want to put foo in /home/foo
# chroot environment you would do this:
#
DefaultRoot /home/rt rt
DefaultRoot /home/jt jt
DefaultRoot /home/user user
Well, not hard, comment these lines.
?

miedward 03-08-2007 09:53 AM
The DefaultRoot option puts the logged in user in a chroot environment. That means that they are restricted in their access in the filesystem as if root started in that directory. In this case

DefaultRoot /home/user user

means that for any user with name "user" (its a wildcard basically) they are stuck in /home/user.

If you are uploading web pages you could do something like

DefaultRoot /var/www/html user

Which would make everybody locked in the web directory, assuming they have access to the directory.

Just be careful, ftp is very insecure (sends passwords in plain text). Allowing general access to the machine makes it very exploitable.

I would suggest using SFTP and closing off the ftp service entirely. If you are running sshd anyway, you get SFTP for free and the client GUIs are similar in function. Also, they don't usually set up chroot jails by default since the protocol itself is fairly secure.

Just some unasked for advice :)

ride153 03-08-2007 10:23 AM
thanks for the replies! stupid me how did i miss that lol.... i did "DefaultRoot / user" and that seems to work.

I hope it's not too risky doing this but i wanted to be able to ftp some files to directories outside my home path.

thanks again

nx5000 03-08-2007 05:47 PM
Quote:
I hope it's not too risky doing this but i wanted to be able to ftp some files to directories outside my home path.
It's less risky than not upgrading when there is a new version or using poorly-chosen password.

But in your case, you can keep your chroot:
Links won't work because they still point out of the root. But mount has an option to mount a directory tree to another directory tree.

mount /datafiles /home/user/datafiles -o rbind

With this, a user chrooted to /home/user will be able to access /datafiles

Using scp/sftp is also a good idea like, it's encrypted and the network protocol is simpler.
If you use it in conjunction with scponly, you can make your box a secure transfer server.


All times are GMT -5. The time now is 05:35 AM.