Solved

Simple: ProFTPD Server (Directory question)

Posted on 2001-07-23
5
247 Views
Last Modified: 2010-03-18
Hi,
I just setup an FTP server using ProFTPD. This server is intended to be a thing that allows me to access certain files on my system from anywhere. However there is one huge problem, this system is also used as a workstation and some users have weak passwords, is there a way that I can limit it so that an FTP connection can only access a certain directory of my system (e.g /ftp/ ?) and I don't want anonomous FTP.
0
Comment
Question by:m_morgan
  • 3
5 Comments
 
LVL 4

Expert Comment

by:newmang
ID: 6311031
I haven't used ProFTPD for a while but, as I recall, the default setting was for the daemon to run a chroot'ed home directory. Have a look in the configuration file to see if that setting has been changed otherwise look in the man page for the chroot settings.
0
 

Author Comment

by:m_morgan
ID: 6311276
can't find anything of that sort in the config file or the man page.

If my question was unclear I want the following:

When all users login they start at a specified directory (e.g /ftp) once logged in they can only read, write, or execute things to that directory and lower (they are restricted to /ftp and it's sub-directories)
0
 
LVL 1

Accepted Solution

by:
leochan72 earned 50 total points
ID: 6315709
Hi,

Try using "DefaultRoot" directive.
I also use this directive in my FTP server. Seems it is what you want.

Below is the explanation from the Proftpd website.
Hope it can help

Leo


DefaultRoot
Syntax: DefaultRoot directory [group-expression]
Default: /
Context: server config, <VirtualHost>, <Global>
Module: mod_auth
Compatibility: 0.99.0pl7 and later

The DefaultRoot directive controls the default root directory assigned to a user upon login. If DefaultRoot is set to a directory other than "/", a chroot operation is performed immediately after a client authenticates. This can be used to effectively isolate the client from a portion of the host system filespace. The specified root directory must begin with a / or can be the magic character '~'; meaning that the client is chroot jailed into their home directory. If the DefaultRoot directive specifies a directory which disallows access to the logged-in user's home directory, the user's current working directory after login is set to the DefaultRoot instead of their normal home directory. DefaultRoot cannot be used in <Anonymous> configuration blocks, as the <Anonymous> directive explicitly contains a root directory used for Anonymous logins.

The special character '~' is replaced with the authenticating user's home directory immediately after login. Note that the default root may be a subdirectory of the home directory, such as "~/anon-ftp".

The optional group-expression argument can be used to restrict the DefaultRoot directive to a unix group, groups or subset of groups. The expression takes the format: [!]group-name1[,[!]group-name2[,...]]. The expression is parsed in a logical boolean AND fashion, such that each member of the expression must evaluate to logically TRUE in order for the DefaultRoot directive to apply. The special character '!' is used to negate group membership.

Care should be taken when using DefaultRoot. Chroot "jails" should not be used as methods for implementing general system security as there are potentially ways that a user can "escape" the jail.

Example of a DefaultRoot configuration:

ServerName "A test ProFTPD Server"
ServerType inetd
User ftp
Group ftp
#
# This causes proftpd to perform a chroot into the authenticating user's directory immediately after login.
# Once this happens, the user is unable to "see" higher level directories.
# Because a group-expression is included, only users who are a member of
# the group 'users' and NOT a member of 'staff' will have their default
# root directory set to '~'.
DefaultRoot ~ users,!staff
...

0
 

Author Comment

by:m_morgan
ID: 6315841
Is there a way that I can apply this to all groups without specifying them invidually? This way no matter who logs in they are limited to that directory?
0
 

Author Comment

by:m_morgan
ID: 6315867
Is there a way to keep people from breaking out of jail?
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video discusses moving either the default database or any database to a new volume.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now