SFTP can access everything
Posted: Mon Aug 10, 2015 9:22 am
Is it just me, or is it extremely dangerous to use SFTP with VestaCP?
I found out SFTP is enabled for everybody by default, also when the SSH-access is set to 'nologin' in the user settings. Fine, I think vsftpd is handling this? Looked good for me, SFTP is much more secure than FTP and I would love it if users could use it.
Quickly I found out it's not possible to open the directories of other users at the server, so that's a good thing too. But now comes my point:
Every user is able to go all the way up in the tree, is able to open for example /etc and can see, download and open ALL files in there. So every single user is able to look at all configuration-files for the sever.
This sounds dangerous to me. Why is it users can't access files from other users, but are able to just open every single other document at the server. Is there a way to work around this?
I found out SFTP is enabled for everybody by default, also when the SSH-access is set to 'nologin' in the user settings. Fine, I think vsftpd is handling this? Looked good for me, SFTP is much more secure than FTP and I would love it if users could use it.
Quickly I found out it's not possible to open the directories of other users at the server, so that's a good thing too. But now comes my point:
Every user is able to go all the way up in the tree, is able to open for example /etc and can see, download and open ALL files in there. So every single user is able to look at all configuration-files for the sever.
This sounds dangerous to me. Why is it users can't access files from other users, but are able to just open every single other document at the server. Is there a way to work around this?