Limits and Validation jail an FTP user is not working

6 posts / 0 new
Last post
#1 Fri, 02/23/2018 - 11:22
gstlouis

Limits and Validation jail an FTP user is not working

I've found several threads about this. It should be relatively simple to do this under Limits and Validation->FTP Directory Restrictions, check the active, chose the domain and simply chose "users home directory" and click save. it says its done and working.

but I can still browser the whole system to the root /.

I do not understand what I am doing wrong. I have a subdomains in that domain with an additional user, but I have tried both the user for this particular domain and the additional user and both can get out of their home DIR and browser whatever they want.

any ideas what I am doing wrong?

Fri, 03/16/2018 - 15:25
gstlouis

no one has any suggestions?

Sat, 03/17/2018 - 03:59
Diabolico
Diabolico's picture

You cant do anything. The problem is with Virtualmin that it doesnt have caged users as you have with cPanel and Plesk (or some other CP). Try to navigate outside of the designated folder and see if you can edit/open the files. If you cant then its working "as intended", but if you can open/edit then you have a huge security problem with your server and should be investigated.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sat, 03/17/2018 - 09:43
gstlouis

thanks for your comment. No it looks to be working correctly, even though the user can climb the dir structure some folders are denied like it should.
I have read on the forum if you use simple FTP then the functions in "Limits and Validation -> FTP Directory Restrictions, choose "Users' home directories", and then check the "Active" box" which are comments from @andreychek.

But I do not know enough about proftpd to setup FTP on port 21 and virtualmin seems to really change the configuration file /etc/proftpd.conf. I just want to jail an FTP user for the folks that ask for access to upload files in public_html and I don't want them roaming my other directories to see my other client information.

any suggestions would be appreciated.

Thanks again

Sat, 03/17/2018 - 18:00
Diabolico
Diabolico's picture

You cant do anything about your users able to navigate outside their designated folders. If you search forum/tracker you will find quite few topics talking about same subject, but until now Virtualmin devs have a stance that this is ok/acceptable. I do not agree with them and regardless if the client can "only" navigate but cant open the files is a big NO in my book.

To not forget this problem could easily go against new European GDPR because it allows users on your server to see who is else hosted what nullifies the privilege for your clients to be hidden/private or to put it simple "not disclose any of their data to the public". But when the "s**t hit the fan" you as server owner will be the only one held accountable for all/any damages in the eyes of the law as you will fail to fulfill a simple question/requirement - "did you take all the necessary steps to secure your clients and their data?". Just a side note, with new GDPR law doesnt matter where are you located as long as you offer/have clients from the EU you are responsible as the server owner. So just keep this in mind.

In case you keep one server -> one virtualmin - > one client you should be fine.

P.S. I didnt have time to read in depth entire GDPR so what i said could not be entirely true, still i would like to urge anyone who is offering their service to EU citizens by using Virtualmin to inform yourself. Not only that you are held responsible in the eyes of the law but you will be charged for any damages caused by lack of security or any kind of leaking when it comes to your client data, e.g. literally anything what could identify your client such as name, surname, nickname, code, serial number, address, etc... etc.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Thu, 03/22/2018 - 07:11
gstlouis

I do agree there should be some functionality to Jail uses inside their own domains. It sure looks like a pain to do because I've been trying to configure something on port 22 or port 21 with proftp and I just can't seem to get it working. Even reading the docs online about DefaultRoot I have not been able to set this up nor can I even get simple FTP going. SFTP works fine with it however...

It would be nice if they have this working for Virtualmin. Although I still love Vritualmin as an alternative to other panels :)