Topic: Blocking Access ABOVE The User Home Folder?

[Jim Hale]

When my users FTP into the SME box (to leave web pages, files or whatever) using a client like Cute!FTP, they land fine in their home folder but then they can move up the folder tree all the way to /home/e-smith/files/, which grants them access to EVERYTHING like the other users, ibays, samba and the primary website.

Is there a way to block them from going UP but they can create and go DOWN into their home folder as far as they need to?

I want to drop them in their [username] folder and that's it. Then they can do whatever.

I'd hate to wake up one morning only to find out that someone has gone in and wiped everything out. :/

Thanks!

[Nathan Fowler]

Permissions don't allow a user to traverse to another users directory.  They can simply list the directories but should have no rights over them.  This extends to the IBAYS and Primary directories, assumine you configured the IBAYS with "Read-Group/Write-Group".

Nathan

[Jon Blakely]

You can use this rpm by Damien Curtain to chroot the user to their home directory

http://www.pagefault.org/e-smith/contrib/index.html#proftpd

Jon

[Jim Hale]

Thanks for the info

I got a hold of the Chroot RPM for SME (5.5) but I can't seem to make it work right. :/

It installed fine but when I try to lock a person into a directory, it doesn't seem to change what it needs to.

I tried:

/sbin/e-smith/db accounts setprop jim Chroot yes \ChrootDir /home/e-smith/files/users/jim/home

And

/sbin/e-smith/db accounts setprop jim Chroot yes \ChrootDir home

And than ran

/sbin/e-smith/signal-event remoteaccess-update

But when I FTP over to the box, it still lets me navigate up the folder tree to /home/e-smith/files.

Am I typing a parameter wrong? Please let me know.

[Damien Curtain]

Jim Hale wrote:
>
> Thanks for the info
>
> I got a hold of the Chroot RPM for SME (5.5) but I can't seem
> to make it work right. :/
>
> It installed fine but when I try to lock a person into a
> directory, it doesn't seem to change what it needs to.
>
> I tried:
>
> /sbin/e-smith/db accounts setprop jim Chroot yes \ChrootDir
> /home/e-smith/files/users/jim/home
>
> And
>
> /sbin/e-smith/db accounts setprop jim Chroot yes \ChrootDir
> home
>
> And than ran
>
> /sbin/e-smith/signal-event remoteaccess-update
>
> But when I FTP over to the box, it still lets me navigate up
> the folder tree to /home/e-smith/files.
>
> Am I typing a parameter wrong? Please let me know.

Yes.

The backslash in the example is due to the example covering 2 lines, and the path must be the exact directory.

Single line you want:
/sbin/e-smith/db accounts setprop jim Chroot yes ChrootDir /home/e-smith/files/users/jim/home

then

/sbin/e-smith/signal-event remoteaccess-update
--
 Damien

[Jim Hale]

Rats - it still didn't work :/

Double-checked the spelling and format and everything looked good, but they can still navigate out of their home and up the tree. :/

[Damien Curtain]

Jim Hale wrote:
>
> Rats - it still didn't work :/
>
> Double-checked the spelling and format and everything looked
> good, but they can still navigate out of their home and up
> the tree. :/

Then you've obviously done something wrong. I suggest you go through what you've done and ensure the database entry is what you expect it to be. I can't make the above any easier unfortunately.
--
 Damien