Limit FTP directory access?
-
bigjohn322
- Posts: 10
- Joined: Mon Feb 24, 2014 10:37 pm
Limit FTP directory access?
Hello,
I'd like to add a user through the "Additional FTP" mechanism but limit htat user to a particular directory and it's subdirectories. Is there a way to accomplish this? I know that I can define the default directory through the /etc/passwd file, but that does not limit access to that directory.
Thank you for your help!
Regards,
John
I'd like to add a user through the "Additional FTP" mechanism but limit htat user to a particular directory and it's subdirectories. Is there a way to accomplish this? I know that I can define the default directory through the /etc/passwd file, but that does not limit access to that directory.
Thank you for your help!
Regards,
John
Re: Limit FTP directory access?
yeah there is no way in the vestacp as yet anyway to jail a user to a specific directory,
you will need to jail manually. what is your OS?
you will need to jail manually. what is your OS?
-
bigjohn322
- Posts: 10
- Joined: Mon Feb 24, 2014 10:37 pm
Re: Limit FTP directory access?
Thanks for the reply.
I am using Ubuntu 14.04 LTS.
I am using Ubuntu 14.04 LTS.
Re: Limit FTP directory access?
well I use Debian so my method would be almost the same, the flags & directories may differ slightly,
First create one addition ftp user under the WEB tab EDIT the domain in your Vestacp control panel.
Next login ssh root and open /etc/passwd
You will see the last line has an additional user you just created
Change the directory in there, that is a fastest way manually for the additional user.
Example: 1422 is the user id
To add another ftp user on top of that one you have to do it manually.
username+dirs+userid are located in /etc/passwd
passwords are encrypted are located in /etc/shadow
Try this, not tested.
The flag for the home directory is -d
so you can add -d /home/the-main-account-user/web/the-domains-tld/public_html/whatever-directory or do it after the user is created to make sure it did work.
Or go in full trottle and try this.
I haven't got an Ubuntu instance running so I cant test this, though it should create the user.
If not use the help (useradd -h) function to get the right flags for each.
Don't worry it's really hard to break the server giving each method a try.
remember to restart vsftpd
First create one addition ftp user under the WEB tab EDIT the domain in your Vestacp control panel.
Next login ssh root and open /etc/passwd
You will see the last line has an additional user you just created
Change the directory in there, that is a fastest way manually for the additional user.
Example: 1422 is the user id
Code: Select all
dev_test:x:1422:1422::/home/dev/web/dev.dev.tld/public_html/developer:/usr/bin/rsshusername+dirs+userid are located in /etc/passwd
passwords are encrypted are located in /etc/shadow
Try this, not tested.
Code: Select all
sudo useradd -m testuser -s /sbin/nologin
sudo passwd testuserso you can add -d /home/the-main-account-user/web/the-domains-tld/public_html/whatever-directory or do it after the user is created to make sure it did work.
Or go in full trottle and try this.
Code: Select all
sudo useradd -m testuser -d /home/the-main-account-user/web/the-domains-tld/public_html/whatever-directory -s /sbin/nologin
sudo passwd testuserIf not use the help (useradd -h) function to get the right flags for each.
Don't worry it's really hard to break the server giving each method a try.
remember to restart vsftpd
Code: Select all
sudo /etc/init.d/vsftpd restart-
bigjohn322
- Posts: 10
- Joined: Mon Feb 24, 2014 10:37 pm
Re: Limit FTP directory access?
As far as I can tell, your instructions show how to add another user, but don't do anything to jail that user. I don't need to add another user, I just need to limit directory access for the one I've already got.
Re: Limit FTP directory access?
Sorry been busy.
Login ssh root and open /etc/passwd
change the directory public_html/whatever-directory
just change the directory to where you want the open on connecting,
try ftp in, it should work fine.
Login ssh root and open /etc/passwd
change the directory public_html/whatever-directory
Code: Select all
dev_test:x:1422:1422::/home/dev/web/your-domain.tld/public_html/whatever-directory:/usr/bin/rsshtry ftp in, it should work fine.
-
bigjohn322
- Posts: 10
- Joined: Mon Feb 24, 2014 10:37 pm
Re: Limit FTP directory access?
Right. As I said in the first post, I am aware of being able to define the default directory in the /etc/passwd file. The user can still leave the defined home directory and browse the rest of the file system.
Re: Limit FTP directory access?
Hi,
You can restrict users including admin easily, I have locked all users to their home directory.
I am using Centos 6.7 x64.
And what you need to do is look at the ACL permissions.
these commands are built into Centos. On Ubuntu / Debian I suspect the commands are similar.
Now user test cannot access the / as the write permission is removed so test has r and x permissions, which enables system calls, but no ls command.
Next run
obviously rerun the commands with admin as user name.
Now go to your ftp program or WinSCP and login with the user. Then try to access /home or / and you will get access denied.
Also this stops users gaining access to /conf /mail directories in their home directory, which stops them from messing up their configuration.
And so far I have not found any issues with doing this.
Well that's it, I hope this helps.
You can restrict users including admin easily, I have locked all users to their home directory.
I am using Centos 6.7 x64.
And what you need to do is look at the ACL permissions.
these commands are built into Centos. On Ubuntu / Debian I suspect the commands are similar.
Run as root I have used a test user for this example obviously test should be replaced with the user name.
Code: Select all
setfacl -m test:x /Code: Select all
getfacl /
getfacl: Removing leading '/' from absolute path names
# file: .
# owner: root
# group: root
user::r-x
user:test:--x
group::r-x
mask::r-x
other::r-xNext run
Code: Select all
setfacl -m test:x /homeCode: Select all
getfacl /home
getfacl: Removing leading '/' from absolute path names
# file: home
# owner: root
# group: root
user::rwx
user:test:--x
group::r-x
mask::r-x
other::r-xNow go to your ftp program or WinSCP and login with the user. Then try to access /home or / and you will get access denied.
Also this stops users gaining access to /conf /mail directories in their home directory, which stops them from messing up their configuration.
And so far I have not found any issues with doing this.
Well that's it, I hope this helps.