SFTP can access everything

ZipperZapper · Post by **ZipperZapper** » Mon Aug 10, 2015 9:22 am

Is it just me, or is it extremely dangerous to use SFTP with VestaCP?

I found out SFTP is enabled for everybody by default, also when the SSH-access is set to 'nologin' in the user settings. Fine, I think vsftpd is handling this? Looked good for me, SFTP is much more secure than FTP and I would love it if users could use it.

Quickly I found out it's not possible to open the directories of other users at the server, so that's a good thing too. But now comes my point:

Every user is able to go all the way up in the tree, is able to open for example /etc and can see, download and open ALL files in there. So every single user is able to look at all configuration-files for the sever.

This sounds dangerous to me. Why is it users can't access files from other users, but are able to just open every single other document at the server. Is there a way to work around this?

Post by **tjebbeke** » Mon Aug 10, 2015 11:12 am

You can try this: http://superuser.com/a/370955

ZipperZapper · Post by **ZipperZapper** » Mon Aug 10, 2015 2:34 pm

Code: Select all

chroot_local_user=YES

That one is enabled by default by Vesta, but doesn't seem to work as described in your link. It's indeed true I can't access the stuff other users own, but I can access all other files on the server. That just seems odd to me.

Post by **skurudo** » Mon Aug 10, 2015 4:55 pm

Yep, there is no jails for this yet (it's planned). But there is no bug, but, sadly, sshd thing.

viewtopic.php?f=10&t=7231&p=22959&hilit=sftp#p22959

Vesta Control Panel - Forum