FTP user directory restriction

Discussion in 'Installation/Configuration' started by olimortimer, Nov 26, 2011.

  1. olimortimer

    olimortimer Member

    Hi all,

    I've recently purchased a VPS and running Ubuntu LTS. I've installed and setup ISPConfig 3.0.4.1 but ran into a slight niggle...

    Users can FTP fine, but they can traverse directories. They can't access other client's folders, but they can see them (along with domain names). How do I restrict them so they can't come out of their own home directory? Is this something to do with Jailkit?

    I don't think I have Jailkit installed, and by the looks of it, you can't install it after installing ISPConfig...?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    No.

    You missed to enable the virtual chroot option in the pure-ftpd.con configuration file whhile you installed pure-ftpd.
     
  3. olimortimer

    olimortimer Member

  4. till

    till Super Moderator Staff Member ISPConfig Developer

    See chapter 15 of the tutorial that you used alredy.
     
  5. olimortimer

    olimortimer Member

    I did those steps in that chapter, and double checked, but it hasn't stopped logins traversing directories.

    The only part in that chapter I didn't do was the fstab as I didn't know what I needed I put - do I use the exact line he added?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Please post the pure-ftpd.conf file from your server.
     
  7. olimortimer

    olimortimer Member

    Do you mean pure-ftpd-common ?

    Code:
    # STANDALONE_OR_INETD
    # valid values are "standalone" and "inetd".
    # Any change here overrides the setting in debconf.
    STANDALONE_OR_INETD=standalone
    
    # VIRTUALCHROOT:
    # whether to use binary with virtualchroot support
    # valid values are "true" or "false"
    # Any change here overrides the setting in debconf.
    VIRTUALCHROOT=true
    
    # UPLOADSCRIPT: if this is set and the daemon is run in standalone mode,
    # pure-uploadscript will also be run to spawn the program given below
    # for handling uploads. see /usr/share/doc/pure-ftpd/README.gz or
    # pure-uploadscript(8)
    
    # example: UPLOADSCRIPT=/usr/local/sbin/uploadhandler.pl
    UPLOADSCRIPT=
    
    # if set, pure-uploadscript will spawn $UPLOADSCRIPT running as the
    # given uid and gid
    UPLOADUID=
    UPLOADGID=
    
     
  8. olimortimer

    olimortimer Member

    I do get this when I restart the Pure-FTP service:

    Code:
    Restarting ftp server: /usr/sbin/pure-ftpd-wrapper: Invalid configuration file /etc/pure-ftpd/conf/PureDB: "/etc/pure-ftpd/pureftpd.pdb": No such file
    
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    The config file looks fine. Please run:

    rm -f /etc/pure-ftpd/conf/PureDB

    and then restart pure-ftpd as PureDB is not used on your server.

    Are you sure that you accessed the server with FTP and not e.g. SFTP or SCP? Please check the settings of your FTP client. SFTP and SCP are SSH based protocols provided by the ssh daemon and not FTP protocols.
     
  10. olimortimer

    olimortimer Member

    I've run that, and restarted, and now I'm getting:

    Code:
    Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -O clf:/var/log/pure-ftpd/transfer.log -E -u 1000 -8 UTF-8 -Y 1 -B
    Testing the FTP, and I can still see other users directories.

    This is a log from my FTP client, and you can see that I'm able to access other clients (I can't see files), but I can the folders for their domains:

    Code:
    Response:	220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    Response:	220-You are user number 1 of 50 allowed.
    Response:	220-Local time is now 10:09. Server port: 21.
    Response:	220-This is a private system - No anonymous login
    Response:	220-IPv6 connections are also welcome on this server.
    Response:	220 You will be disconnected after 15 minutes of inactivity.
    Command:	USER ***
    Response:	331 User *** OK. Password required
    Command:	PASS *********
    Response:	230-User *** has group access to:  client1    sshusers  
    Response:	230 OK. Current directory is /var/www/clients/client1/web16
    Command:	OPTS UTF8 ON
    Response:	200 OK, UTF-8 enabled
    Status:	Connected
    Status:	Retrieving directory listing...
    Command:	PWD
    Response:	257 "/var/www/clients/client1/web16" is your current location
    Status:	Directory listing successful
    Status:	Retrieving directory listing...
    Command:	CWD /var/www/clients/client2/ANOTHERCLIENT.com
    Response:	250 OK. Current directory is /var/www/clients/client2/web1
    Command:	PWD
    Response:	257 "/var/www/clients/client2/web1" is your current location
    Status:	Directory listing successful
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, might be related to the fact that the web user is member of the sshusers group. I will check that.
     
  12. olimortimer

    olimortimer Member

    Thank you. Really appreciate the help.

    FYI I haven't added the FTP user to any other groups - just added them as an FTP User through ISPConfig.
     

Share This Page