SFTP access

10 posts / 0 new
Last post
#1 Wed, 08/07/2013 - 12:52
virtualpaul

SFTP access

To enable SFTP access on my web sites, I did the following: - In Virtualmin -> Webmin -> Servers -> SSH Server - Access Control -> Only allow users -> add virtual server username - Click "Save" - Click "Apply Changes"

if I open a SFTP session for web site A: I can see and change the content of the '/home/web site A' (good) I cannot see or change the content of '/home/web site B' (good) I can see and read the content of all the folders on my server (/bin, /boot, /etc, ...) which is very bad obviously.

Any idea on how to fix this?

Wed, 08/07/2013 - 14:07
andreychek

Howdy,

There's some information about all that in the Security FAQ here:

https://www.virtualmin.com/documentation/security/faq

Wed, 08/07/2013 - 15:44 (Reply to #2)
virtualpaul

Thanks,

I tried the 'Limits and Validation -> FTP Directory Restrictions' set to either of the following:

Users' home directories Virtual server's home directory

It does not seem to do anything on my server. I can still change folders and seeing the whole system except /home/[other users].

Wed, 08/07/2013 - 16:51
andreychek

Well, it sounds like you're performing the instructions in the section "How can I prevent FTP Users from Browsing the Entire Filesystem?" -- unfortunately, that's specific to FTP. SFTP uses a different mechanism (it goes over SSH).

What you'd want there is the second section of those docs, "How can I prevent other types of users from browsing the entire filesystem?".

-Eric

Fri, 08/09/2013 - 10:25
jimdunn

Hey VirtualPaul, I used FTPeS, see https://www.virtualmin.com/node/29262

Fri, 08/09/2013 - 11:45
Locutus

@virtualpaul: It's not really "very bad" that a Linux user can see and read the contents of /bin and /boot and so on. In a Linux file system, those paths don't contain anything secret, but only stuff that anybody can see and know by installing the same distribution for themselves.

All things that ARE security relevant, like password file contents or other configuration stuff, is by default set up with permissions that only allow root or administrative users to see them.

Actually, for a Linux user to be able to log on and do stuff in the shell, they HAVE to be able to see and read the things in /bin, because how else would they execute programs? :) As long as they can't WRITE those files, everything is good.

Fri, 08/09/2013 - 14:53
jimdunn

PRIVACY / SECURITY

My 2c worth here... I agree with both of you... I love linux, and it's open architecture...

But, I have clients that want privacy as well as security...

So, I can't give them SFTP (SSH) access, because they could see:

a) all the other domain names in /home b) all the virtualmin and webmin readable data in /etc

So, FTPeS was my only solution (since I don't allow shell accounts).

Fri, 08/09/2013 - 18:13
Locutus

@jimdunn: Yes, you're certainly right there. With SSH, there are some things like seeing contents of /home (not necessarily being able to enter foreign homes, but seeing their folder names) that are mostly inevitable, and ftps does have advantages there.

Fri, 08/09/2013 - 20:00 (Reply to #8)
jimdunn

I had originally thought "hey, just chmod 700 /home, and all will be well"... but then, I remembered /etc, and that along with having no idea what chmod 700 /home would break... I gave up... : )

Sat, 08/10/2013 - 19:05 (Reply to #9)
Locutus

It's not a good idea to set /home to 700, because that'd prevent users from writing into their homes. :) On a Linux file system, to be able to write into a directory, you need write access to that directory and all parent directories.

Topic locked