FTP Users are able to Traverse directories up to the root of my server
Red HatThis forum is for the discussion of Red Hat Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
FTP Users are able to Traverse directories up to the root of my server
Hi Have put together a Redhat Linux 9 Machine, in order to run a web site.
I am currently trying to work out how I can allow certain users to FTP into the website and update certain areas, but not have access to all areas.
The FTP client running is vsftpd, to which I have been able to perform anonymous logins, getting to /var/ftp/pub (and only view pub, and not traverse up directories).
I have also been able to setup users, with Home Drives, that I am able to FTP into the Home Drives.
It is this that causes the problem. When I FTP in I am able to navigate my way right up to the root of the server, and then navigate my way around the server.
I would like to know how to stop this navigation upwards from the point that you log in?
I did try restricting permissions on other folders, but ended up having to reinstall from scratch!
Thanks
Steve
P.S. I apologise if this has already been asked elsewhere in the lists.
Does this problem occurs only when you log in as anonymous or when you log in as a guest user or both?
I can help you because I run vsftps as well. I think your problem is related to chroot, so you must configure vsftpd.conf to chroot users to their home directory. And you must check that home directories are specified as follow in "/etc/passwd":
Itīs very important to add "./" at the end of users home directories to prompt users at their directories and canīt go up to parents ones. And itīs very important to add "/bin/false" as well.
Then you must check that "/bin/false" is included in the file "shells" in etc directory.
In the end, I found a reference on the net to add chroot_local_user=YES to my vsftpd.conf file and also added the /./ to the Home Directory in /etc/passwd as mentioned by ilpadrino
I was struggling to find a sample file for the /etc/vsftpd.chroot_list after enabling chroot_list_enable=YES, but the post on the net answered this with the line above.
I found this thread in searching for a way to sftp into my server as 'root'. I just got a dedicated from serverbeach running Redhat 9 with cPanel but I'm not an admin - I know enough basics to 'manage' a FreeBSD server (enough to be dangerous) without a control panel. I've had a site up through Verio since 1996 - a 'virtual server' running FreeBSD and this was never an issue.
I fully understand this is a security issue.
A fellow is doing the basic initial setup for me and whilst I'm not particularly adverse to telnet and the command line, for some things it's just simpler for me to graphically see the files in a window, be able to change permissions eaasily and simply and such.
From what I can tell this was possible back in version 7. I found this at redhat:
It sounds like it can be enabled. The below is from 7, but from the link above it appears it may still be applicable.
/etc/ftpusers
This file lists all the users that are not allowed to FTP into your machine. For example, root is listed in /etc/ftpusers by default. That means that you cannot FTP to your machine and log in as root. This is a good security measure, but some administrators prefer to remove root from this file. http://www.redhat.com/docs/manuals/l...admin-ftp.html
I don't want anonymous ftp access at all.
Have any of you folks set up redhat 9 for ftp or sftp as root or know how?
Marc-
It seems to me that what you are looking to do is to be able to gain full access to your server from afar- may I suggent a much more secure approach? How about ssh & scp & rsync ??
--SSH allows encrypted communication (secure shell) - with an ssh server running you can gain full terminal access to your remote machine- run programs as rioot, start and stop processes etc.- you can be securely logged in - you choose whether to live with encrypted password authentication or the more secure public/private keys.
--SCP uses the SSH encryption to move a limited number of files
--rsync -ave ssh [from] [to] allows you to move lrger data sets (it is slower than a direct FTP connection, but more secure)-
I have had FTP access abused on several servers and DO NOT recommend it for anything except controlled use on isolated boxes-- trust me, the frustrations of getting ssh up and running are far more palatable than a cracked machine & FTP is very, very hard to make secure-
Yes - the idea was/is to be able to ftp or sftp into a 'dedicated server' like I have on my FreeBSD server I set it up in 1997-8. Since there's only me on it, the issue is really limited to someone 'cracking' the password to get in - I think.
I don't want to run programs or such. It's so easy to go in via ftp and say download apache's config file, edit it on my Mac, rename the file on the server (I append a date so I know what file I had until a given date) and re-upload the changed file.
I also am learning the Linux directory structure.
I guess I'll have to learn vi and such to edit online and get ready to dive back in the command line mentality.
Your advice is appreciated. I will probably abandon the idea, but then again as I said earlier I've been on a FreeBSD box for years, always had root sftp access and never had a problem.
I'm new to a lot of this stuff - I just maintain my own server, I'm not a knowledgable admin. And I'm totally new to Linux. I'll check out SCP and rsync -ave ssh
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.