SFTP can access everything
-
- Posts: 13
- Joined: Fri Feb 06, 2015 11:37 am
SFTP can access everything
Is it just me, or is it extremely dangerous to use SFTP with VestaCP?
I found out SFTP is enabled for everybody by default, also when the SSH-access is set to 'nologin' in the user settings. Fine, I think vsftpd is handling this? Looked good for me, SFTP is much more secure than FTP and I would love it if users could use it.
Quickly I found out it's not possible to open the directories of other users at the server, so that's a good thing too. But now comes my point:
Every user is able to go all the way up in the tree, is able to open for example /etc and can see, download and open ALL files in there. So every single user is able to look at all configuration-files for the sever.
This sounds dangerous to me. Why is it users can't access files from other users, but are able to just open every single other document at the server. Is there a way to work around this?
I found out SFTP is enabled for everybody by default, also when the SSH-access is set to 'nologin' in the user settings. Fine, I think vsftpd is handling this? Looked good for me, SFTP is much more secure than FTP and I would love it if users could use it.
Quickly I found out it's not possible to open the directories of other users at the server, so that's a good thing too. But now comes my point:
Every user is able to go all the way up in the tree, is able to open for example /etc and can see, download and open ALL files in there. So every single user is able to look at all configuration-files for the sever.
This sounds dangerous to me. Why is it users can't access files from other users, but are able to just open every single other document at the server. Is there a way to work around this?
-
- Collaborator
- Posts: 783
- Joined: Mon May 11, 2015 8:43 am
- Contact:
- Os: CentOS 6x
- Web: apache + nginx
Re: SFTP can access everything
You can try this: http://superuser.com/a/370955
-
- Posts: 13
- Joined: Fri Feb 06, 2015 11:37 am
Re: SFTP can access everything
Code: Select all
chroot_local_user=YES
Re: SFTP can access everything
Yep, there is no jails for this yet (it's planned). But there is no bug, but, sadly, sshd thing.
viewtopic.php?f=10&t=7231&p=22959&hilit=sftp#p22959
viewtopic.php?f=10&t=7231&p=22959&hilit=sftp#p22959