View Full Version : How to deny access to upper directories for FTP users?
goe
31st August 2004, 04:16 PM
Hi,
I'm, running FTP server on my Fedora2 server and I wonder if anybody can help me with closing down the access for my ftp users.
My users access /home/nick_name/public_html/
And I need everyone of them not to be allowed to go up then his/hers /public_html directory over FTP.
Can anybody tell how can I achieve that? What should I configure? Do you know any web tutorials for that?
Thanks for any help!
goe
kosmosik
31st August 2004, 05:06 PM
you need to use a ftp daemon that supports chrooting users... proftpd AFAIR does. pure-ftpd does certainly :)
but keep in mind that it only affects FTP service. you probably will do better with proper ACL settings than obscure chrooting like this. I mean that even if user can't get to upper directory he can write a script that does it (I'am assuming that you are allowing some PHP or something on webserver) - with this script he can do almost anything as user apache (talking about defaults)...
goe
31st August 2004, 07:59 PM
OK,
I've read stuff from "man ACL" but I still don't understand how it works. Do I have to create somekind of files in easy directory? Please explain it to me... or maybe give an url to somekind of tutorial on that.
Thanks you!
goe
kosmosik
31st August 2004, 08:27 PM
I meant that if you wan't to chroot users it is OK - but do it globally - not only for one service since it only gives false sense of security (as they can still issue commands via PHP scripts as user apache on entire system)... I mean you don't wan't your users to look around others shoulder (meaning looking in their home dirs and webpages) use proper ACL model or disable any web scripting (allowing scripting is like giving access to shell anyway, just as different user - maybe use PHP as CGI with per user execution rights?)...
http://www.linux-magazine.com/issue/38/Access_Control_Lists.pdf
goe
31st August 2004, 09:23 PM
OK, I managed to do this. But I have now a diffrent question.
When I log in to my ftp account from another linux machine (both local IPs in the same network) I can log in but when I type "ls -l" I get:
ftp> ls -l
227 Entering Passive Mode (192,168,3,45,37,132)
ftp: connect: No route to host
What does this mean and how can I deal with that?
Thank you for help!
goe
goe
1st September 2004, 02:27 PM
OK, I know how to deal with that. I had to add 1024:tcp access to my firewall connection.
Now it works :)
Jman
2nd September 2004, 02:55 AM
Moved to Servers forum.
vBulletin® v3.8.7, Copyright ©2000-2013, vBulletin Solutions, Inc.
