LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 03-08-2007, 09:32 AM   #1
ride153
Member
 
Registered: Apr 2005
Location: Northeast USA
Distribution: current is PCLOS (server) and Suse (desktop)
Posts: 102

Rep: Reputation: 15
FTP users are jailed to home dir


have an issue with proftpd on my pclinuxos server.

I can login via ftp fine but im locked to my home directory. i looked at my proftpd.conf file but didn't see anything related to that..

anyone know how this is setup?

Code:
 cat proftpd.conf
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName "ProFTPD Default Installation"
ServerType                      standalone
DefaultServer                   on

# Allow FTP resuming.
# Remember to set to off if you have an incoming ftp for upload.
AllowStoreRestart on

# Port 21 is the standard FTP port.
Port 21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances                    30

# Set the user and group under which the server will run.
User                            nobody
Group                           nogroup

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
# DefaultRoot /

# Normally, we want files to be overwriteable.
AllowOverwrite          on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
  DenyAll
</Limit>
# Needed for NIS.

PersistentPasswd off

# Default root can be used to put users in a chroot environment.
# As an example if you have a user foo and you want to put foo in /home/foo
# chroot environment you would do this:
#
DefaultRoot /home/rt rt
DefaultRoot /home/jt jt
DefaultRoot /home/user user

#drakwizard_proftpd
<Global>
  <Limit LOGIN>
    Order allow,deny
    Allow from all
    Deny from all
  </Limit>
</Global>
#drakwizard_proftpd

ServerAdmin 
RootLogin on
AllowForeignAddress off
AllowRetrieveRestart on
DefaultRoot ~
DirFakeUser off nobody
LogFormat auth "%v [%P] %h %t "%r" %s"
Extendedlog /var/log/proftpd/ftp.log
UseReverseDNS off
LogFormat default "%h %l %u %t "%r" %s %b"
SystemLog /var/log/proftpd/proftpd.log
DisplayConnect /etc/banner-proftpd
DirFakeGroup off nobody
DeleteAbortedStores off
IdentLookups off
DeferWelcome on
TimesGMT off
TransferLog /var/log/proftpd/xferlog
AccessGrantMsg " -- Guest access granted for %u --"
ServerIdent off
LogFormat write "%h %l %u %t "%r" %s %b"
AccessDenyMsg " !-!! ACCESS DENY !!-! SEEMS YOU HAVE NO RIGHT THERE !!"
ShowSymlinks on

Last edited by ride153; 03-08-2007 at 09:35 AM.
 
Old 03-08-2007, 09:41 AM   #2
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 55
Quote:
# Default root can be used to put users in a chroot environment.
# As an example if you have a user foo and you want to put foo in /home/foo
# chroot environment you would do this:
#
DefaultRoot /home/rt rt
DefaultRoot /home/jt jt
DefaultRoot /home/user user
Well, not hard, comment these lines.
?
 
Old 03-08-2007, 09:53 AM   #3
miedward
Member
 
Registered: Feb 2007
Distribution: RHEL 4, SOLARIS 10
Posts: 91

Rep: Reputation: 15
The DefaultRoot option puts the logged in user in a chroot environment. That means that they are restricted in their access in the filesystem as if root started in that directory. In this case

DefaultRoot /home/user user

means that for any user with name "user" (its a wildcard basically) they are stuck in /home/user.

If you are uploading web pages you could do something like

DefaultRoot /var/www/html user

Which would make everybody locked in the web directory, assuming they have access to the directory.

Just be careful, ftp is very insecure (sends passwords in plain text). Allowing general access to the machine makes it very exploitable.

I would suggest using SFTP and closing off the ftp service entirely. If you are running sshd anyway, you get SFTP for free and the client GUIs are similar in function. Also, they don't usually set up chroot jails by default since the protocol itself is fairly secure.

Just some unasked for advice
 
Old 03-08-2007, 10:23 AM   #4
ride153
Member
 
Registered: Apr 2005
Location: Northeast USA
Distribution: current is PCLOS (server) and Suse (desktop)
Posts: 102

Original Poster
Rep: Reputation: 15
thanks for the replies! stupid me how did i miss that lol.... i did "DefaultRoot / user" and that seems to work.

I hope it's not too risky doing this but i wanted to be able to ftp some files to directories outside my home path.

thanks again

Last edited by ride153; 03-08-2007 at 10:32 AM.
 
Old 03-08-2007, 05:47 PM   #5
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 55
Quote:
I hope it's not too risky doing this but i wanted to be able to ftp some files to directories outside my home path.
It's less risky than not upgrading when there is a new version or using poorly-chosen password.

But in your case, you can keep your chroot:
Links won't work because they still point out of the root. But mount has an option to mount a directory tree to another directory tree.

mount /datafiles /home/user/datafiles -o rbind

With this, a user chrooted to /home/user will be able to access /datafiles

Using scp/sftp is also a good idea like, it's encrypted and the network protocol is simpler.
If you use it in conjunction with scponly, you can make your box a secure transfer server.

Last edited by nx5000; 03-08-2007 at 05:53 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Jailed Home Dir tdkratboy Linux - Security 10 06-19-2010 07:51 AM
find users home dir c++ Simon_6162 Programming 2 02-04-2005 07:53 PM
Jailed(chrooted) users and ftp linux_terror Linux - Security 4 08-29-2004 06:56 PM
Restricting FTP Users to their home dir in vsftpd ~ForgottenFlux~ Linux - Software 2 09-03-2003 07:54 PM
FTP Users Go to There Home Dir FS2003 Linux - Networking 1 07-11-2003 01:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 06:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration