Topic: Restricting users in FTP to a certain dir...

[Leigh Gardiner]

What I've done is setup an IBAY and a Virtual Domain and this one username is in control of this ibay and domain. They can login via FTP, but i want to lock them into the /home/e-smith/files/ibays/nameofsite dir and give them read, write and execute access to it. What ive done so far is changed the group and user owner ship to this user so they have complete control over the dirs etc. But as i said above, what im aiming for is when they log into the FTP with the username their in the /home/e-smith/files/ibays/nameofsite folder and cannot go up dirs back into the rest of the file system (it only goes back as far as /home/e-smith/files/ anyway, but i don't really want them to go back even that far...)

I've got them starting in the site ibay dir but changing their homedir in /etc/passwd to its dir.

Idea's?

[Damien Curtain]

Leigh Gardiner wrote:
>
> What I've done is setup an IBAY and a Virtual Domain and this
> one username is in control of this ibay and domain. They can
> login via FTP, but i want to lock them into the
> /home/e-smith/files/ibays/nameofsite dir and give them read,
> write and execute access to it. What ive done so far is
> changed the group and user owner ship to this user so they
> have complete control over the dirs etc. But as i said above,
> what im aiming for is when they log into the FTP with the
> username their in the /home/e-smith/files/ibays/nameofsite
> folder and cannot go up dirs back into the rest of the file
> system (it only goes back as far as /home/e-smith/files/
> anyway, but i don't really want them to go back even that
> far...)
>
> I've got them starting in the site ibay dir but changing
> their homedir in /etc/passwd to its dir.
>
> Idea's?

I just wrapped something I use up as an rpm for you if youd care to try it, available from:
http://www.pagefault.org/e-smith/contrib/index.html#proftpd

It enables you to set a default root for ftp by the following commands:
/sbin/e-smith/db accounts setprop username Chroot yes ChrootDir directory
/sbin/e-smith/signal-event remoteaccess-update

Where username is the username of the account and directory is the directory to lock them to.

My be totally useless or may be what your after...
--
 Damien

[Leigh Gardiner]

cool. When i try to unpack and install the package i get:

[root@netserver primary]# rpm -ihv e-smith-proftpd-chroot-0.0.1-01dc.noarch.rpm
error: failed dependencies:
        e-smith-proftpd >= 1.6.0 is needed by e-smith-proftpd-chroot-0.0.1-01dc

where can i grab the e-smith-proftpd from? and why wouldn't it be installed already?..

also do you have any pages that you learn about chroot from etc so i can do a similar thing on other linux machines (that aren't e-smith)...if i learn everything from these RPM's and i goto use linux ill be stuck and won't know how to use the chroot cmd...

Thanks...also it sounds like exactly wat im after

[Damien Curtain]

Leigh Gardiner wrote:
>
> cool. When i try to unpack and install the package i get:
>
> [root@netserver primary]# rpm -ihv
> e-smith-proftpd-chroot-0.0.1-01dc.noarch.rpm
> error: failed dependencies:
>         e-smith-proftpd >= 1.6.0 is needed by
> e-smith-proftpd-chroot-0.0.1-01dc
>
> where can i grab the e-smith-proftpd from? and why wouldn't
> it be installed already?..

Ah this is for sme 5.5, prob just force it on 5.1 or above:)

rpm -ihv --nodeps e-smith-proftpd-chroot-0.0.1-01dc.noarch.rpm

> also do you have any pages that you learn about chroot from
> etc so i can do a similar thing on other linux machines (that
> aren't e-smith)...if i learn everything from these RPM's and
> i goto use linux ill be stuck and won't know how to use the
> chroot cmd...

man proftpd.conf ?
--
 Damien

[Damien Curtain]

> > also do you have any pages that you learn about chroot from
> > etc so i can do a similar thing on other linux machines (that
> > aren't e-smith)...if i learn everything from these RPM's and
> > i goto use linux ill be stuck and won't know how to use the
> > chroot cmd...
>
> man proftpd.conf ?

Actually generic chroot read the chroot manpage, or see linuxdoc.org

man 1 chroot
CHROOT(1)                                FSF                                CHROOT(1)



NAME
       chroot - run command or interactive shell with special root directory

SYNOPSIS
       chroot NEWROOT [COMMAND...]
       chroot OPTION

DESCRIPTION
       Run COMMAND with root directory set to NEWROOT.

       --help display this help and exit

       --version
              output version information and exit

       If no command is given, run ${SHELL} -i'' (default: /bin/sh).

--
 Damien

[theKiyote]

Im currently having a similar problem of restricting access to a single directory (and any sub-directories)

Ive went through and installed the rpm, but have problems restricting access to a file.

This is what ive done:

/sbin/e-smith/db accounts setprop kiyote Chroot yes Chroot /home/e-smith/files/ibays/myftp/files/myfiles

where myftp is my ftp ibay and myfiles a folder i created to hold the files for the server

then i ran /sbin/e-smith/signal-event remoteaccess-update

and whenever I try to login to my ftp server, it still logs me into the kiyote user directory, like it was before

--theKiyote

[Damien Curtain]

theKiyote wrote:
>
> Im currently having a similar problem of restricting access
> to a single directory (and any sub-directories)
>
> Ive went through and installed the rpm, but have problems
> restricting access to a file.
>
> This is what ive done:
>
> /sbin/e-smith/db accounts setprop kiyote Chroot yes Chroot
> /home/e-smith/files/ibays/myftp/files/myfiles
>
> where myftp is my ftp ibay and myfiles a folder i created to
> hold the files for the server
>
> then i ran /sbin/e-smith/signal-event remoteaccess-update
>
> and whenever I try to login to my ftp server, it still logs
> me into the kiyote user directory, like it was before

Did you just not transcribe your command right in this post ? It should be

/sbin/e-smith/db accounts setprop kiyote Chroot yes ChrootDir /home/e-smith/files/ibays/myftp/files/myfiles
/sbin/e-smith/signal-event remoteaccess-update
--
 Damien

[Damien Curtain]

Damien Curtain wrote:
>
> theKiyote wrote:
> >
> > Im currently having a similar problem of restricting access
> > to a single directory (and any sub-directories)
> >
> > Ive went through and installed the rpm, but have problems
> > restricting access to a file.
> >
> > This is what ive done:
> >
> > /sbin/e-smith/db accounts setprop kiyote Chroot yes Chroot
> > /home/e-smith/files/ibays/myftp/files/myfiles
> >
> > where myftp is my ftp ibay and myfiles a folder i created to
> > hold the files for the server
> >
> > then i ran /sbin/e-smith/signal-event remoteaccess-update
> >
> > and whenever I try to login to my ftp server, it still logs
> > me into the kiyote user directory, like it was before
>
> Did you just not transcribe your command right in this post ?
> It should be
>
> /sbin/e-smith/db accounts setprop kiyote Chroot yes ChrootDir
> /home/e-smith/files/ibays/myftp/files/myfiles
> /sbin/e-smith/signal-event remoteaccess-update

or more likely it should be
/sbin/e-smith/db accounts setprop kiyote Chroot yes ChrootDir /home/e-smith/files/ibays/myftp/files
/sbin/e-smith/signal-event remoteaccess-update

You cant restrict access to a file, just a folder, Im sure thats what you meant though...
--
 Damien

[Freek]

is it possible too use a groupname instead of an username ?

thx