SiliconDirect
asked on
How do I prevent an ftp user on proftpd from seeing and accesssing other users directroies?
I want him to ftp into his account that is setup in /home/user only and not be able to access or even see the other accounts in there.
Thanks
Thanks
edit proftpd.conf (usually located in: /usr/local/etc/proftpd.con
I've supplied a full proftpd.conf for your pleasure, let me know if it works: :)
then restart proftpd daemon
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "FTP Server"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the user and group that the server normally runs at.
User nobody
Group nobody
# Normally, we want files to be overwriteable.
<Directory /*>
AllowOverwrite on
</Directory>
# A basic anonymous configuration, no upload directories.
<Anonymous ~ftp>
User ftp
Group ftp
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayFirstChdir .message
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
<Anonymous /home/user>
User username
Group groupname
AnonRequirePassword on
<Limit SITE CHMOD>
DenyAll
</Limit>
<Directory /*>
AllowOverwrite on
</Directory>
<Limit LOGIN>
AllowALL
</Limit>
HideUser root
HideGroup root
</Anonymous>
I've supplied a full proftpd.conf for your pleasure, let me know if it works: :)
then restart proftpd daemon
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "FTP Server"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the user and group that the server normally runs at.
User nobody
Group nobody
# Normally, we want files to be overwriteable.
<Directory /*>
AllowOverwrite on
</Directory>
# A basic anonymous configuration, no upload directories.
<Anonymous ~ftp>
User ftp
Group ftp
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayFirstChdir .message
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
<Anonymous /home/user>
User username
Group groupname
AnonRequirePassword on
<Limit SITE CHMOD>
DenyAll
</Limit>
<Directory /*>
AllowOverwrite on
</Directory>
<Limit LOGIN>
AllowALL
</Limit>
HideUser root
HideGroup root
</Anonymous>
ASKER
I don't want any anonymous users at all I just want a user (i.e Fred) and grant Fred access only to his folder without being able to navigate to other folders on the server.
in that case comment out: UserAlias anonymous ftp
#UserAlias anonymous ftp
and delete </Anonymous> just before <Anonymous /home/user> line as I meant to delete that.
the <Anonymous is just proftpd's syntax I'm afraid - it does confuse people who haven't been in the config before :)
basically the config allows only users into they're home dir and NOTHING else
#UserAlias anonymous ftp
and delete </Anonymous> just before <Anonymous /home/user> line as I meant to delete that.
the <Anonymous is just proftpd's syntax I'm afraid - it does confuse people who haven't been in the config before :)
basically the config allows only users into they're home dir and NOTHING else
ASKER
We did exactly that, copied the whole conf file to the /etc/proftpd.conf file, then restarted xinetd (service xinetd restart).
The users can still chdirs up and browse all the files on the system.
Once again, for clarity and perhaps redundancy sake, when you log in as "Fred" you should be able to access /home/Fred and all subdirectories... if your in /home/Fred and chdir up, you wont be able to get to /home at all. We dont want them to even see the different dirs/files, regardless if they can access/change them or not.
Thanks in advance for any help
The users can still chdirs up and browse all the files on the system.
Once again, for clarity and perhaps redundancy sake, when you log in as "Fred" you should be able to access /home/Fred and all subdirectories... if your in /home/Fred and chdir up, you wont be able to get to /home at all. We dont want them to even see the different dirs/files, regardless if they can access/change them or not.
Thanks in advance for any help
what operating system you using ? also that config works for my users e.g:
user Fred logs in to /home/fred and gets into all files and sub folders within /home/fred but cannot go anywhere else, infact Fred user does not see /home/fred, he sees: /
user Fred logs in to /home/fred and gets into all files and sub folders within /home/fred but cannot go anywhere else, infact Fred user does not see /home/fred, he sees: /
ASKER
Mandrake 10.
That would be idea - for fred to see " / " and nothing above it... thats what we're trying to do.
That would be idea - for fred to see " / " and nothing above it... thats what we're trying to do.
I noticed that your using xinetd, my config is not to use xinetd:
ServerType standalone
change the config to be:
ServerType inetd
and then restart proftpd via xinetd, and also is the server reading the correct config file ?
ServerType standalone
change the config to be:
ServerType inetd
and then restart proftpd via xinetd, and also is the server reading the correct config file ?
ASKER
how would I know what config file it is using? the one we're modifing is /etc/proftpd.conf
ASKER
I noticed that its expecting a nobody / nobody users / group... we have no groups setup, and currently one user (the one that we want restricted)
How imperative is this to set up these restrictions ?
How imperative is this to set up these restrictions ?
this is just so the proftpd daemon can run as a non trusted root user (it's a security feature)
I don't use Mandrake but you could check the folder in xinetd and view the proftpd view (if there is one)
I don't use Mandrake but you could check the folder in xinetd and view the proftpd view (if there is one)
ASKER
This is the :
/etc/xinetd.d/proftpd-xine
File.
# default: off
# description: proftpd server, xinetd version. \
# Don't run the standalone version if you run \
# this!
service ftp
{
disable = yes
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.ftpd
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
disable = yes
}
/etc/xinetd.d/proftpd-xine
File.
# default: off
# description: proftpd server, xinetd version. \
# Don't run the standalone version if you run \
# this!
service ftp
{
disable = yes
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.ftpd
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
disable = yes
}
ok, the xientd file states proftpd is disabled, so restarting xinetd is no good as it's not doing anything, this means there must be an actual process running can you do the following: ps auxf | grep proftpd and if there is a proftpd daemon running then it's running in standalone and not xinetd, which means there is another proftpd start/stop script, which I think is in /etc/rc.d/init.d/proftpd
ASKER
[root@x1-6-00-01-03-86-8b-
root 441 0.0 0.1 1712 440 pts0 R 09:45 0:00 | \_ grep proftpd
[root@x1-6-00-01-03-86-8b-
I edited the /etc/rc.d/init.d/proftpd and added DefaultRoot ~ ... then restarted xinetd again, and it still lets me browse...
root 441 0.0 0.1 1712 440 pts0 R 09:45 0:00 | \_ grep proftpd
[root@x1-6-00-01-03-86-8b-
I edited the /etc/rc.d/init.d/proftpd and added DefaultRoot ~ ... then restarted xinetd again, and it still lets me browse...
no /etc/rc.d/init.d/proftpd is just the startup and stopping of the ftp server, is the machine accessible from the internet, if so would you like me to logon and fix it and I'll let you know what I did to fix it ?
ASKER
yeah... 24.57.49.205
how cna I privately give you l / p ?
how cna I privately give you l / p ?
email address is REMOVE NOSPAM plz:
experts-exchange@nemesis-N
experts-exchange@nemesis-N
ASKER
Email has been sent... plz lemme know what you do to fix it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Please follow this link:
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Chroot.html
Best Regards