shell users can navigate backwards

Discussion in 'Installation/Configuration' started by aldo, Sep 7, 2011.

  1. aldo

    aldo New Member HowtoForge Supporter

    I need to create users only to allow SFTP access.

    At this time, "Chroot Shell" is set to "Jailkit" but the user can navigate backwards from the home folders, almost anywhere.

    At least I would like to avoid this.

    Thank you for your help.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Then the jail is not initiated correctly. You can check that in /etc/passwd. As fasr as I know, you can not even use sftp in a jail in ispconfig, so if the jail would be there, then not sftp login is possible.

    In general, I recommend that you use ftps and not sftp. ftps is FTP over a secure TLS encrypted connection which runs over the FTP daemon so that it can benefit from the virtual ftp jails while sftp is a ssh protocol and needs full ssh jails.
     
  3. aldo

    aldo New Member HowtoForge Supporter

    Thank you Till,
    please can you tell me what I have to check/correct in /etc/passwd?

    FTPS users are configured as shell users or ftp users in ISPConfig 3?

    Thanks again.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Check the shell of the shell users in /etc/passwd. If its /bin/bash, then they are not jailed. if the shell is something like jk_chrootsh, then the users are jailed.

    FTPS users are configured as FTP users in ispconfig.
     
  5. aldo

    aldo New Member HowtoForge Supporter

    in /etc/passwd there is:
    web9:x:5011:5006::/var/www/clients/client2/web9/./home/web9:/bin/false
    user9:x:5011:5006::/var/www/clients/client2/web9/./home/user9:/usr/sbin/jk_chrootsh

    while in ISPConfig:
    user9
    Chroot Shel=Jailkit
    Options:
    Web Username=web9
    Web Group=client2
    Shell=/bin/bash
    Dir=/var/www/clients/client2/web9

    the only oddity seems the web9 user's shell
    /bin/false in /etc/password
    /bin/bash in ISPconfig
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Does it work when you change /bin/false to /usr/sbin/jk_chrootsh manually?
     
  7. aldo

    aldo New Member HowtoForge Supporter

    Yes it works.

    The strange thing is that now also works with the old configuration.

    It seems that the configurations take effect several minutes after being executed.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    It takes about one minute until the configuration is applied. You can see in the jobqueue of the ispconfig monitor when a job has been executed.
     

Share This Page