Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How do I prevent an ftp user on proftpd from seeing and accesssing other users directroies?

Posted on 2004-11-19
20
Medium Priority
?
281 Views
Last Modified: 2008-03-17
I want him to ftp into his account that is setup in /home/user only and not be able to access or even see the other accounts in there.
Thanks
0
Comment
Question by:SiliconDirect
  • 10
  • 9
20 Comments
 
LVL 2

Expert Comment

by:gdplusmore
ID: 12630444
0
 
LVL 4

Expert Comment

by:Nemesis-Services
ID: 12645118
edit proftpd.conf (usually located in: /usr/local/etc/proftpd.conf)

I've supplied a full proftpd.conf for your pleasure, let me know if it works: :)
then restart proftpd daemon

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName                      "FTP Server"
ServerType                     standalone
DefaultServer                   on

# Port 21 is the standard FTP port.
Port                            21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances                    30

# Set the user and group that the server normally runs at.
User                            nobody
Group                           nobody

# Normally, we want files to be overwriteable.
<Directory /*>
  AllowOverwrite                on
</Directory>

# A basic anonymous configuration, no upload directories.
<Anonymous ~ftp>
  User                          ftp
  Group                         ftp
  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias                     anonymous ftp

  # Limit the maximum number of anonymous logins
  MaxClients                    10

  # We want 'welcome.msg' displayed at login, and '.message' displayed
  # in each newly chdired directory.
  DisplayLogin                  welcome.msg
  DisplayFirstChdir             .message

  # Limit WRITE everywhere in the anonymous chroot
  <Limit WRITE>
    DenyAll
  </Limit>

</Anonymous>

<Anonymous /home/user>
        User username
        Group groupname
        AnonRequirePassword     on
        <Limit SITE CHMOD>
                DenyAll
        </Limit>
        <Directory /*>
                AllowOverwrite  on
        </Directory>
        <Limit LOGIN>
                AllowALL
        </Limit>
        HideUser        root
        HideGroup       root
</Anonymous>

0
 

Author Comment

by:SiliconDirect
ID: 12645701
I don't want any anonymous users at all I just want a user (i.e Fred) and  grant Fred access only to his folder without being able to navigate to other folders on the server.

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Expert Comment

by:Nemesis-Services
ID: 12645747
in that case comment out: UserAlias                     anonymous ftp

#UserAlias                     anonymous ftp

and delete </Anonymous> just before <Anonymous /home/user> line as I meant to delete that.

the <Anonymous is just proftpd's syntax I'm afraid - it does confuse people who haven't been in the config before :)

basically the config allows only users into they're home dir and NOTHING else
0
 

Author Comment

by:SiliconDirect
ID: 12659363
We did exactly that, copied the whole conf file to the /etc/proftpd.conf file, then restarted xinetd (service xinetd restart).

The users can still chdirs up and browse all the files on the system.

Once again, for clarity and perhaps redundancy sake, when you log in as "Fred"  you should be able to access /home/Fred and all subdirectories... if your in /home/Fred and chdir up, you wont be able to get to /home at all.  We dont want them to even see the different dirs/files, regardless if they can access/change them or not.

Thanks in advance for any help
0
 
LVL 4

Expert Comment

by:Nemesis-Services
ID: 12659551
what operating system you using ? also that config works for my users e.g:

user Fred logs in to /home/fred and gets into all files and sub folders within /home/fred  but cannot go anywhere else, infact Fred user does not see /home/fred, he sees: /

0
 

Author Comment

by:SiliconDirect
ID: 12659563
Mandrake 10.

That would be idea - for fred to see " / "  and nothing above it... thats what we're trying to do.
0
 
LVL 4

Expert Comment

by:Nemesis-Services
ID: 12659606
I noticed that your using xinetd, my config is not to use xinetd:
ServerType                     standalone

change the config to be:
ServerType                    inetd

and then restart proftpd via xinetd, and also is the server reading the correct config file ?
0
 

Author Comment

by:SiliconDirect
ID: 12659627
how would I know what config file it is using?   the one we're modifing is /etc/proftpd.conf
0
 

Author Comment

by:SiliconDirect
ID: 12659675
I noticed that its expecting a nobody / nobody users / group...  we have no groups setup, and currently one user (the one that we want restricted)

How imperative is this to set up these restrictions ?
0
 
LVL 4

Expert Comment

by:Nemesis-Services
ID: 12659698
this is just so the proftpd daemon can run as a non trusted root user (it's a security feature)

I don't use Mandrake but you could check the folder in xinetd and view the proftpd view (if there is one)

0
 
LVL 4

Expert Comment

by:Nemesis-Services
ID: 12659747
0
 

Author Comment

by:SiliconDirect
ID: 12659768
This is the :

/etc/xinetd.d/proftpd-xinetd

File.



# default: off
# description: proftpd server, xinetd version. \
# Don't run the standalone version if you run \
# this!

service ftp
{
      disable = yes
      socket_type            = stream
      wait                  = no
      user                  = root
      server                  = /usr/sbin/in.ftpd
      log_on_success            += DURATION USERID
      log_on_failure            += USERID
      nice                  = 10
      disable                  = yes
}
0
 
LVL 4

Expert Comment

by:Nemesis-Services
ID: 12659809
ok, the xientd file states proftpd is disabled, so restarting xinetd is no good as it's not doing anything, this means there must be an actual process running can you do the following: ps auxf  | grep proftpd and if there is a proftpd daemon running then it's running in standalone and not xinetd, which means there is another proftpd start/stop script, which I think is in /etc/rc.d/init.d/proftpd

0
 

Author Comment

by:SiliconDirect
ID: 12659850
[root@x1-6-00-01-03-86-8b-95 etc]# ps auxf | grep proftpd
root       441  0.0  0.1  1712  440 pts0     R    09:45   0:00  |                   \_ grep proftpd
[root@x1-6-00-01-03-86-8b-95 etc]#


I edited the /etc/rc.d/init.d/proftpd  and added DefaultRoot ~  ...  then restarted xinetd again, and it still lets me browse...
0
 
LVL 4

Expert Comment

by:Nemesis-Services
ID: 12659875
no /etc/rc.d/init.d/proftpd is just the startup and stopping of the ftp server, is the machine accessible from the internet, if so would you like me to logon and fix it and I'll let you know what I did to fix it ?

0
 

Author Comment

by:SiliconDirect
ID: 12659990
yeah...   24.57.49.205

how cna I privately give you l / p ?
0
 
LVL 4

Expert Comment

by:Nemesis-Services
ID: 12660000
email address is REMOVE NOSPAM plz:

experts-exchange@nemesis-NOSPAMservices.co.uk

0
 

Author Comment

by:SiliconDirect
ID: 12660143
Email has been sent... plz lemme know what you do to fix it.
0
 
LVL 4

Accepted Solution

by:
Nemesis-Services earned 700 total points
ID: 12660231
ok thats it working, I've replied back to your email as it's got a temp login which I created and you can test then delete.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
Windows 10 is here and for most admins this means frustration and challenges getting that first working Windows 10 image. As in my previous sysprep articles, I've put together a simple help guide to get you through this process. The aim is to achiev…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question