Submitted by oneearth on Tue, 12/20/2016 - 10:58
I'm not clear on how the "Allow access to web directories" in virtualmin works or how to limit ftp directory access.
The ProFTPD virtual FTP feature is enabled. For a user that has allowed directories awstat and stats, when I ftp using Filezilla, then they can access other directories. For example, if I used VM to backup the databases to a directory that's outside of the user's directory, Filezilla can access that db backup directory and download those directories.
How can I prevent a file client like Filezilla access to directories outside of the user's home directory?
Status:
Closed (fixed)
Comments
Submitted by oneearth on Tue, 12/20/2016 - 11:02 Comment #1
I don't know if this is related, but for my server template it has the default values for ProFTPD
ServerName ${DOM}<Anonymous ${HOME}/ftp>
User ftp
Group ftp
UserAlias anonymous ftp
<Limit WRITE>
DenyAll
</Limit>
RequireValidShell off
ExtendedLog ${HOME}/logs/ftp.log
</Anonymous>
Submitted by andreychek on Tue, 12/20/2016 - 11:03 Comment #2
Howdy -- take a peek at this here, this describes how to setup FTP directory restrictions for your users:
https://www.virtualmin.com/documentation/security/faq#toc-how-can-i-prev...
Let us know if you have any additional questions regarding that, or if it doesn't answer your initial question.
Submitted by oneearth on Tue, 12/20/2016 - 11:16 Comment #3
looking at > Virtualmin > Limits and Validation > FTP Directory Restrictions, it did have a default setting of: All virtual servers --> User's home directory
i would have expected that that would have prevented a ftp client from browsing other directories.
so i setup another restriction only server --> Virtual server's home directory
that did the trick --> Filezilla could only see the home directory.
Thanks
Submitted by oneearth on Tue, 12/20/2016 - 11:17 Comment #4
oh, just for interest, what would have been the linux cli syntax to do this?
Submitted by andreychek on Tue, 12/20/2016 - 14:06 Comment #5
Hmm, if you're seeing something in the FTP Directory Restrictions screen that you think should be working, but isn't, it may help to take a screenshot of that and share that screenshot with us.
However, I don't believe there is a command line way to perform the FTP Directory Restrictions (other than manually editing the config file, that is).
Submitted by oneearth on Tue, 12/20/2016 - 17:47 Comment #6
have look and see what you think:
http://communify.ca/wp-content/uploads/2016/12/FTP-Directory-Restriction...
Submitted by andreychek on Tue, 12/20/2016 - 18:07 Comment #7
It looks like there are two active rules there. One for locking users into the virtual servers homedir, and another for locking one particular domain into the users individual homedirs.
The third rule listed there isn't marked as active.
Are you seeing any current problems though?
Submitted by oneearth on Sat, 01/21/2017 - 11:19 Comment #8
As an aside, the "ProFTPd virtual FTP" feature is not related to chroot or file access at all.
That feature dedicates an IP address to FTP for the selected domain. It is almost never needed or desired. You do not need to give up an IP order to chroot users in ProFTPd, so you can turn the "ProFTPD virtual FTP" feature. I actually disable it entirely on my servers, so no one accidentally uses it (no reason to waste IPs on it). It's probably something we should be disabling in a default install...make it so the very very very few people who need the feature have to turn it on manually.
Submitted by oneearth on Sun, 01/22/2017 - 15:27 Comment #10
oh, i didn't realize. okay i will not use the "ProFTPd virtual FTP"