How do I prevent an ftp user on proftpd from seeing and accesssing other users directroies?

I want him to ftp into his account that is setup in /home/user only and not be able to access or even see the other accounts in there.
Thanks
SiliconDirectAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gdplusmoreCommented:
0
Nemesis-ServicesCommented:
edit proftpd.conf (usually located in: /usr/local/etc/proftpd.conf)

I've supplied a full proftpd.conf for your pleasure, let me know if it works: :)
then restart proftpd daemon

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName                      "FTP Server"
ServerType                     standalone
DefaultServer                   on

# Port 21 is the standard FTP port.
Port                            21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances                    30

# Set the user and group that the server normally runs at.
User                            nobody
Group                           nobody

# Normally, we want files to be overwriteable.
<Directory /*>
  AllowOverwrite                on
</Directory>

# A basic anonymous configuration, no upload directories.
<Anonymous ~ftp>
  User                          ftp
  Group                         ftp
  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias                     anonymous ftp

  # Limit the maximum number of anonymous logins
  MaxClients                    10

  # We want 'welcome.msg' displayed at login, and '.message' displayed
  # in each newly chdired directory.
  DisplayLogin                  welcome.msg
  DisplayFirstChdir             .message

  # Limit WRITE everywhere in the anonymous chroot
  <Limit WRITE>
    DenyAll
  </Limit>

</Anonymous>

<Anonymous /home/user>
        User username
        Group groupname
        AnonRequirePassword     on
        <Limit SITE CHMOD>
                DenyAll
        </Limit>
        <Directory /*>
                AllowOverwrite  on
        </Directory>
        <Limit LOGIN>
                AllowALL
        </Limit>
        HideUser        root
        HideGroup       root
</Anonymous>

0
SiliconDirectAuthor Commented:
I don't want any anonymous users at all I just want a user (i.e Fred) and  grant Fred access only to his folder without being able to navigate to other folders on the server.

0
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Nemesis-ServicesCommented:
in that case comment out: UserAlias                     anonymous ftp

#UserAlias                     anonymous ftp

and delete </Anonymous> just before <Anonymous /home/user> line as I meant to delete that.

the <Anonymous is just proftpd's syntax I'm afraid - it does confuse people who haven't been in the config before :)

basically the config allows only users into they're home dir and NOTHING else
0
SiliconDirectAuthor Commented:
We did exactly that, copied the whole conf file to the /etc/proftpd.conf file, then restarted xinetd (service xinetd restart).

The users can still chdirs up and browse all the files on the system.

Once again, for clarity and perhaps redundancy sake, when you log in as "Fred"  you should be able to access /home/Fred and all subdirectories... if your in /home/Fred and chdir up, you wont be able to get to /home at all.  We dont want them to even see the different dirs/files, regardless if they can access/change them or not.

Thanks in advance for any help
0
Nemesis-ServicesCommented:
what operating system you using ? also that config works for my users e.g:

user Fred logs in to /home/fred and gets into all files and sub folders within /home/fred  but cannot go anywhere else, infact Fred user does not see /home/fred, he sees: /

0
SiliconDirectAuthor Commented:
Mandrake 10.

That would be idea - for fred to see " / "  and nothing above it... thats what we're trying to do.
0
Nemesis-ServicesCommented:
I noticed that your using xinetd, my config is not to use xinetd:
ServerType                     standalone

change the config to be:
ServerType                    inetd

and then restart proftpd via xinetd, and also is the server reading the correct config file ?
0
SiliconDirectAuthor Commented:
how would I know what config file it is using?   the one we're modifing is /etc/proftpd.conf
0
SiliconDirectAuthor Commented:
I noticed that its expecting a nobody / nobody users / group...  we have no groups setup, and currently one user (the one that we want restricted)

How imperative is this to set up these restrictions ?
0
Nemesis-ServicesCommented:
this is just so the proftpd daemon can run as a non trusted root user (it's a security feature)

I don't use Mandrake but you could check the folder in xinetd and view the proftpd view (if there is one)

0
Nemesis-ServicesCommented:
0
SiliconDirectAuthor Commented:
This is the :

/etc/xinetd.d/proftpd-xinetd

File.



# default: off
# description: proftpd server, xinetd version. \
# Don't run the standalone version if you run \
# this!

service ftp
{
      disable = yes
      socket_type            = stream
      wait                  = no
      user                  = root
      server                  = /usr/sbin/in.ftpd
      log_on_success            += DURATION USERID
      log_on_failure            += USERID
      nice                  = 10
      disable                  = yes
}
0
Nemesis-ServicesCommented:
ok, the xientd file states proftpd is disabled, so restarting xinetd is no good as it's not doing anything, this means there must be an actual process running can you do the following: ps auxf  | grep proftpd and if there is a proftpd daemon running then it's running in standalone and not xinetd, which means there is another proftpd start/stop script, which I think is in /etc/rc.d/init.d/proftpd

0
SiliconDirectAuthor Commented:
[root@x1-6-00-01-03-86-8b-95 etc]# ps auxf | grep proftpd
root       441  0.0  0.1  1712  440 pts0     R    09:45   0:00  |                   \_ grep proftpd
[root@x1-6-00-01-03-86-8b-95 etc]#


I edited the /etc/rc.d/init.d/proftpd  and added DefaultRoot ~  ...  then restarted xinetd again, and it still lets me browse...
0
Nemesis-ServicesCommented:
no /etc/rc.d/init.d/proftpd is just the startup and stopping of the ftp server, is the machine accessible from the internet, if so would you like me to logon and fix it and I'll let you know what I did to fix it ?

0
SiliconDirectAuthor Commented:
yeah...   24.57.49.205

how cna I privately give you l / p ?
0
Nemesis-ServicesCommented:
email address is REMOVE NOSPAM plz:

experts-exchange@nemesis-NOSPAMservices.co.uk

0
SiliconDirectAuthor Commented:
Email has been sent... plz lemme know what you do to fix it.
0
Nemesis-ServicesCommented:
ok thats it working, I've replied back to your email as it's got a temp login which I created and you can test then delete.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.