PDA

Click to See Complete Forum and Search --> : FTP serious security issue

LinuxNewbie16
03-04-2003, 03:11 PM
Hi, i have a small problem that i do consider as a security hole. here's my point.
let's suppose i host the domain domain1.com with ftp access under the username 'domain1' and directory "/home/www/domain1.com/htdocs/" If i ftp into my account i'm in the "htdocs" directory directly but i still have the possibility to click on /home/www and /home/ and view it full contents and also if i try for example to ftp using www.domain1.com/var/ i simply get into the server /var/ dir and view everything...
hope you got my point of view
how can i fix this problem?
thank you
Hayl
03-04-2003, 03:16 PM
you need to "jail" the user.

how you accomplish it will depend on what ftp server you are running.

if you are using proftp and do a search for proftp on this site then you will most likely find one of my posts whenr i have explained ho wo to do it with proftp.
LinuxNewbie16
03-05-2003, 02:04 PM
i'm using wu-ftp can u please tell me step by step how to accomplish it .
thank you
pl1ght
03-05-2003, 02:26 PM
I highly recommend uninstalling wuftp and installing proftpd as your ftp daemon. It makes jailing much easier. And it uses apache type directives which make it much easier to config. There are 100 reasons why it is better than wuftpd.
MaxWave
03-05-2003, 04:32 PM
I second that nomination! ProFTPd jailing is the way to go.
LinuxNewbie16
03-06-2003, 01:50 PM
okay i'll install the proftp :)
and by the way how to arrange the same problem but under the console i mean when using the ssh to access files on the server. that's mean restrict a given user for a given and only directory i tried the chmod 700 but faced some problems...
waiting from u
siyeclover
03-08-2003, 04:18 PM
Make your ftpuser as a anonymous,modify your proftpd.conf .
If you hope ftpuser tom never leave directory /var/ftp/pub,do as so.

<Anonymous /var/ftp/pub>

# Allow logins if they are disabled above.
<Limit LOGIN>
AllowAll
</Limit>

# Maximum clients with message
MaxClients 5 "Sorry, max %m users -- try again later"

User tom
Group tomgroup


# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>

# An upload directory that allows storing files but not retrieving
# or creating directories.
<Directory uploads/*>
<Limit READ>
DenyAll
</Limit>

<Limit STOR>
AllowAll
</Limit>
</Directory>

</Anonymous>

You can find many document of proftp in http://www.proftpd.org/docs/

Some example config file.
http://www.proftpd.org/docs/example-conf.html



siyeclover
LinuxNewbie16
03-09-2003, 06:23 AM
10x siyeclover & what about the ssh? (review my question please)