how to restrict a user in his home directory

18 posts / 0 new
Last post
#1 Tue, 03/24/2009 - 22:15
opaque

how to restrict a user in his home directory

hi all

how can i restrict a user into his home directory. at the moment sftp connections can browse trough the hole server, but i wont that the users can see which other domains are on the server.

i don´t use proftpd. the connections are made via sftp (ssh port 22).

greetings opaque

Wed, 03/25/2009 - 04:33
andreychek

That came up recently in the Support Tracker:

http://www.virtualmin.com/index.php?option=com_flyspray&Itemid=82&am...

You can check that out for the full explanation, but essentially it's hard to do, and Joe and Jamie feel that it doesn't actually offer the security bonuses people expect :-)
-Eric

Fri, 03/27/2009 - 11:10 (Reply to #2)
ronald
ronald's picture

they can't
at least on my server a user can not go into the directory from another user.
also they can not get into most directories outside /home
in the ones they can, they cannot download/view/edit sensitive files.
also they can not write to any files they do not have permission to.

the only 'risk' is a malicious user can see the usernames in /home and won't have to guess that part if he wants to attack. If you think you have malicious users or untrusted users, do not give them sh access.

Sat, 03/28/2009 - 11:46 (Reply to #3)
ronald
ronald's picture

on my server a domain owner can go into etc but NOT view proftpd.conf.
Per haps you need to review your security

Sat, 03/28/2009 - 11:51 (Reply to #4)
ronald
ronald's picture

also I have no idea what your mysql password is doing in that file, I don't see that in mine..

Sat, 03/28/2009 - 11:57 (Reply to #5)
opaque

my ftp users are stored in a mysql table.

Sat, 03/28/2009 - 12:27 (Reply to #6)
ronald
ronald's picture

under webmin - servers - proftpd server - Files and Directories
Go to: Limit users to directories and set to: Home directory

not sure if that will do the trick for you but that is how it is set at my server.
Also securing your server is not a matter of clicking a button. I suggest to google and read a lot.

Sat, 03/28/2009 - 14:57 (Reply to #7)
ronald
ronald's picture

ah yes sftp sorry.
My users can dwell through the server, but they cant do anything nor read sensitive info and I only give sh to trusted users.

Trying to restrict them (chroot) seems to break security

I think you should look at other security measures on your server as to why your users can read sensitive files.

Sun, 06/07/2009 - 07:49 (Reply to #8)
ronald
ronald's picture

then you can use a script or use sed
per haps something like this through the cli

cd /tmp ; find -type f -name *.conf -maxdepth 4 | awk {'print "chmod -R 444 "$1'} |sh

put a file /tmp/whatever.conf in your /tmp with 777, then use that line to test.
if happy change cd /tmp in the cmd to whatever dir you like, so: cd /etc

Fri, 03/27/2009 - 05:13
opaque

But i think it is very dangerous that all users can see conf files everywhere on the server.

greetings opaque

Sat, 03/28/2009 - 08:36 (Reply to #10)
Joe
Joe's picture

<div class='quote'>But i think it is very dangerous that all users can see conf files everywhere on the server.</div>

The UNIX security model has been in use for more than 30 years, by millions of people. We think that's a pretty good indicator that it is not &quot;dangerous&quot;.

--

Check out the forum guidelines!

Sat, 03/28/2009 - 11:43
opaque

on my server a domain owner can go into etc and view proftpd.conf. there is no posibility to change the file but he can read the mysql password for den mysql user table.

opaque

Sat, 03/28/2009 - 11:51
opaque

where should i do this?

opaque

Sat, 03/28/2009 - 12:42
opaque

hi

a domain owner who connect via sftp dont use the the proftp server, it&Acirc;&acute;s a connectionn via ssh i think. so the settings of the proftpd.conf file doesnt change anything, or not?

opaque

Sat, 03/28/2009 - 22:00 (Reply to #14)
Joe
Joe's picture

So, the obvious solution is to make files that contain sensitive information not readable by regular users. proftpd.conf does not need to be world-readable, and it isn't in the proftpd packages that we provide (but we only provide packages for a couple of platforms...mostly it comes from the OS repos, but I wouldn't expect them to be world-readable either).

--

Check out the forum guidelines!

Sun, 03/29/2009 - 06:32
opaque

But this is a never ending job to browse trough all the directories and change the chmod.

opaque

Sun, 03/29/2009 - 06:40 (Reply to #16)
andreychek

If the data is truly &quot;sensitive&quot;, then it's worth it :-)

Restricting ProFTP or SSH to a home directory doesn't solve the problem -- a user could just as easily go into Virtualmin, and browse the server using the File Manager.

If you disable that, Joomla includes a file manager. Or they could just write their own code that searches for files and directories that they have permissions to view. Using a chroot in ProFTP or SSH can't prevent that, it only stops the case where the user is using FTP or SSH.

So the actual issue is not FTP, or SSH, it's that file permissions are set in a way that you deem to be insecure :-) The only way to solve that is to change the permissions.
-Eric

Sun, 03/29/2009 - 21:50
opaque

@ ronald

have your Domain owners a FTP Port 21 connection or do they also use ssh?

opaque